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Abstract. Separation logic is a concise method for specifying programs that manipulate 
dynamically allocated storage. Partially inspired by separation logic, Implicit Dynamic 
Frames has recently been proposed, aiming at first-order tool support. In this paper, 
we precisely connect the semantics of these two logics. We define a logic whose syntax 
subsumes both that of a standard separation logic, and that of implicit dynamic frames 
as sub-syntaxes. We define a total heap semantics for our logic, and, for the separation 
logic subsyntax, prove it equivalent the standard partial heaps model. In order to define 
a semantics which works uniformly for both subsyntaxes, we define the novel concept of 
a minimal state extension, which provides a different (but equivalent) definition of the 
semantics of separation logic implication and magic wand connectives, while also giving 
a suitable semantics for these connectives in implicit dynamic frames. We show that our 
resulting semantics agrees with the existing definition of weakest pre-condition semantics 
for the implicit dynamic frames fragment. Finally, we show that we can encode the sep- 
aration logic fragment of our logic into the implicit dynamic frames fragment, preserving 
semantics. For the connectives typically supported by tools, this shows that separation 
logic can be faithfully encoded in a first-order automatic verification tool (Chalice). 



1. Introduction 

Separation logic (SL) [6l [12] is a popular approach to specifying the behaviour of programs, 
as it naturally deals with the issues of aliasing. Separation logic assertions extend classical 
logic with extra connectives and predicates to describe memory layout. This makes it 
difficult to reuse current tool support for verification. Implicit dynamic frames (IDF) [18j 
was developed to give the benefits of separation logic specifications, while leveraging existing 
tool support for first-order logic. 

Although IDF was partially inspired by separation logic, there are many differences 
between SL and IDF that make understanding their relationship difficult. SL does not 
allow expressions that refer to the heap, while IDF does. SL is defined on partial heaps, 
while IDF is defined using total heaps and permission masks. The semantics of IDF are 
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only defined by its translation to first-order verification conditions, while SL has a direct 
Kripke semantics for its assertions. These differences make it challenging to understand the 
relationship between the two approaches. 

In this paper, we investigate the formal relationship between the two approaches. As 
a medium for this comparison, we define a verification logic (which we name Total Heaps 
Permission Logic) whose syntax includes both that of a typical separation logic, and that of 
implicit dynamic frames. We define a semantics for Total Heaps Permission Logic based on 
states which incorporate a total heap and a separate permission mask, that we show both 
captures the original semantics of separation logic, and correctly captures the semantics 
of IDF. Intuitively, the permission mask specifies the locations in the heap which are safe 
to access. Our formulation allows expressions that access the heap to be defined, and this 
complicates the definition of the separation logic "magic wand" and implication connectives. 
In order to define a suitable semantics for these connectives which is compatible with both 
approaches, we introduce the novel concept of minimal extensions of a state, and use this 
to define a novel semantics for these connectives, which nonetheless agrees with the original 
semantics for the separation logic fragment of our logic. Correctly reflecting the standard 
semantics of the separating conjunction and magic wand allows us to use these connectives 
to define the usual separation logic notion of weakest pre-conditions of commands. 

In order to show that our logic correctly captures the semantics of the IDF formulas, 
we focus on the form of IDF found in the concurrent verification tool Chalice |10j . As the 
semantics of IDF formulas are only defined indirectly via weakest pre-condition calculations 
for a language using them, we show that the verification conditions (VCs) generated by the 
existing Boogie2 [9] encoding and the VCs generated from the separation logic proof rules 
are logically equivalent. This shows that our model directly captures the existing semantics 
of IDF. 

We make use of these strong correspondences to define an encoding of separation logic 
into implicit dynamic frames that preserves semantics. We then define a subsyntax of sep- 
aration logic (corresponding to the logical connectives supported by many practical tools), 
which maps onto the assertion language supported by Chalice, and show that this fragment 
of separation logic can, via our correspondences, be handled in a purely first-order prover. 

Outline. The paper is structured as follows. We begin by presenting the background def- 
initions of both separation logic and implicit dynamic frames (^2]). We then provide an 
overview of the challenges in defining our logic and semantics, and present Total Heaps 
Permission Logic (^3]), characterising various properties of our total heap semantics. We 
prove the correspondence between VCs as calculated in separation logic and in implicit 
dynamic frames (SI, and then combine our proven results to show how to map a fragment 
of separation logic into contracts which can be verified by the Chalice tool, preserving their 
original semantics (^5]). Finally, we discuss related work (^6]), consider possible extensions 
and conclude (^. 

The contributions of this paper are as follows: 
• We define a total heaps semantics for a logic whose syntax subsumes a separation logic, 
and prove that, for the separation logic fragment, our total heaps semantics is equivalent 
with the standard (partial heaps) semantics for the separation logic. 



THE RELATIONSHIP BETWEEN SEPARATION LOGIC AND IMPLICIT DYNAMIC FRAMES 



• We define a direct semantics for tlie implicit dynamic frames logic (the specification logic 
of the Chalice tool) , which has so far only been given a semantics implicitly, via verification 
conditions. 

• We show how to encode a standard fragment of separation logic into an implicit dynamic 
frames setting, preserving its semantics. 

• We show that verification conditions as computed for separation logic coincide via our 
translation and semantics with the verification conditions computed by Chalice. 

• We present the notion of minimal extensions of a state, and show how it can be used to 
define the semantics of the separation logic implication and magic wand connectives in a 
new way. 

Extensions with regard to the conference version. This paper extends the conference version 
|15j by providing a different definition of implication that corresponds to that used in 
Chalice. The conference version provided a definition of implication that was correct with 
respect to separation logic, but on the formulas used in Chalice it had undesirable behaviour. 
We have altered the definitions of implication and magic wand to correctly model both 
Chalice and separation logic. 

The paper provides extended discussions of the design of the logic, detailing the require- 
ments which come from each of our target logics. We explicitly define and discuss the various 
notions of state extension which were used implicitly in the formulations of the technical 
definitions in our precursor paper. The semantics of implication in the logic is discussed 
in detail, and a new concept of minimal extensions is used to obtain a semantics which 
works well for both target logics. The resulting semantics is formulated differently from 
the traditional presentation of implication in intuitionistic separation logic; our definition 
requires checking the subformulas in fewer states. 

The syntactic condition on when a Chalice assertion was considered self-framing in the 
conference paper was overly restrictive, in that it did not reflect that Chalice takes account 
of the restrictions provided by an assertion: for instance, acc{x.f, 1) * y - x * y.f - 5 would 
not have been considered self-framing in the conference version, but is in this paper, and in 
Chalice. 

We provide a new section (^ which shows how to combine the previously-proved 
results to explicitly show that a fragment of separation logic can be equivalently verified 
using separation logic weakest pre-conditions, or (via an encoding) using implicit dynamic 
frames specifications and weakest pre-condition calculations. 

Finally, we provide full details of all proofs. 

2. Background and Motivation 

2.1. Standard Separation Logic. Separation logic [6l [12] is a verification logic which 
was originally introduced to handle the verification of sequential programs in languages 
with manual memory management, such as C. The key feature of the logic is the ability to 
describe the behaviour of commands in terms of disjoint heap fragments, greatly simplifying 
the work required when "framing on" extra properties in a modular setting. Since its 
inception, separation logic has evolved in a variety of ways. In particular, variants of 
separation logic are now used for the verification of object-oriented languages with garbage 
collection, such as Java and C' [14] . 
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In order to handle concurrency, separation logic has been extended to consider its ba- 
sic points-to assertions as permissions [11] . determining which thread is allowed to read 
and write the corresponding state. To gain flexibility, fractional permissions [5l H] were 
introduced, allowing the permissions governed by points-to assertions to be split and re- 
combined. A fractional permission is a rational number < vr < 1, where 1 denotes full and 
exclusive (read/write) permission, and any other permission denotes read-only permission. 
In this paper we focus on the following core fragment of separation logic with fractional 
permissions. 

Definition 2.1 (Separation Logic Assertions (SL)). We assume a set of object identifiersiX 
ranged over by l. We also assume a set oi field identifiers, ranged over by /. Values, ranged 
over by v are either object identifiers, integers, or the special value null. 

The syntaxes of separation logic expressions (ranged over by e) and assertions (ranged 
over by a) are defined as followqj- In this definition, n ranges over integer constants, and 
0<7r<l. 

e ■■- X \ null I n 

a ■■- e - e \ e.j ^ e \ a * a \ a^ a \ a a a \ ay a \ a ^ a\ dx. a 
We will refer to this separation logic simply as SL hereafter. 

The key feature of separation logic is the facility to reason locally about separate heap 
portions. As such, the standard semantics for separation logic is formulated in terms of 
judgements parameterised by partial heaps (sometimes called heap fragments), which can 
be split and combined together as required. The critical new connectives are the separating 
conjunction *, and the magic wand -*. The separating conjunction oi * 02 expresses that 
oi and 02 are true and depend on disjoint fragments of the heap. The magic wand ai -* 02 
expresses that if any extra partial heap satisfying ai is combined with the current partial 
heap, then the resulting heap is guaranteed to satisfy 02. 

Fractional permissionqj [H |5] are employed to manage shared memory concurrency in 
the usual way - a thread may only read from a heap location if it has a non-zero permission 
to the location, and it may only write to a location if it has the whole (full) permission to it. 
By careful permission accounting, it can then be guaranteed that a thread can never modify 
a heap location while another thread can read it. Note that permissions are handled (via 
points-to predicates e.f *-^ e') on a per-field basis: it is possible for an assertion to provide 
permission for only one field of an object. This fine granularity of permissions allows for 
greater flexibility in the resulting logic - it can be specified that different threads have access 
to different fields of an object at the same time, for example. Combination of partial heaps 
includes combination of their permissions, where they overlap. 

Definition 2.2 (Partial Fractional Heaps [1]). 

• A partial fractional heap /i is a partial function from pairs {l, f) of object- identifier and 

field-identifier to pairs {v,tt) of value and non-zero permission vr. Partial heap lookup is 

written h[L, f], and is only defined when (t, /) e dom{h). 



These could be considered to be addresses, but we choose to be parametric with the concrete implemen- 
tation of the heap. 

Note that variables x need not be program variables, but can also be specification-only variables (some- 
times called logical, ghost or specification variables) 

n 

Chalice, described in the next subsection, actually uses a slight variation on fractional permissions to 
make automatic theorem proving easier. 
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• Partial heap extension: hi £ h2, iff V(t, /) e dom{hi). ii(/ii[i,/]) = ii(/i2[i,/]) and 

i2(/llU,/])<i2(/l2U,/]). 

• Partial heap compatibility: hi ± /12 iff ^{i,f) e dom(hi) n dom{h2). ii(/ii['-, /]) = 

k(/l2[^/]) A i2(/ll[^,/]) + i2(/i2[^ /])<!. 

• The combination of two partial heaps, written hi * /12, is defined only when hi 1 /i2 holds, 
by the following equations: 

dom{hi * h2) - dom(hi) u dom{h2) 
V(t, /) e dom{hi * /i2). 

' (ii(/iiU,/]),i2(/ii[^/])) tf{L,f)idomih2) 

■ {ii{h2[ij]),i2{h2[ij])) if{iJ)idom{hi) 

(ii(/ii['', /]),(i2(^i['', /]) +i2(/i2['', /]))) otherwise 
We use in to denote the nth component of a tuple. 



{hi*h2)[i,f] 



There are two main flavours of separation logic studied in the literature: classical sepa- 
ration logic, and intuitionistic separation logic [6]. In this paper, we consider intuitionistic 
separation logic. In intuitionistic separation logic, truth of assertions is closed under heap 
extension, which is appropriate for a garbage-collected language such as Java/C", rather 
than a language with manual memory management, such as C. The standard intuitionistic 
separation logic semantics for our fragment SL is deflned as follows [14] . 

Definition 2.3 (Standard Semantics for SL [3]). Environments a are partial functionqj 
from variable names to values. Separation logic expression semantics, [ej^ are defined by 
[xJct = o"(x), [njo- = n and [[nulljo- = null. The semantics of assertions is then as follows: 

h,a\^sLei.f'^e2 ^^ i2(/i[[ei]<„/]) > vr a ii(/i[[eij^,/]) = [62!^ 

h,a\^sLe^e' <^^ |e]^ = le% 

h,a i^s^ai* a2 <=^ 3hi,h2.{ h ^ hi * h2 a hi,ai=sLai a /i2,cr 1=5^ 02) 

h,a \=SL di -* Ci2 ■^^^ yh'.{h' ih a h',a\=sLCii ^" h*h',a \=sl 0,2) 

h,a\^sLai/\a2 <=^h,a^sLai a h,a ^310-2 

h, a \=SL ai V 02 <;=> h, a \=sl oi v h, a \=sl ^2 

h,a \=SL di ^ CL2 ■^^^ yh'.{h' ih a h*h',a \=sl cti => h*h' ,a \=gi^ a2) 

h,a\=sL^x.a <=^^ 3v.{ h,a[x 1^ v]\=sl 0.) 

The semantics for the separating conjunction and magic wand express the required split- 
ting and combination of partial heaps. The semantics for logical implication -> considers 
all possible extensions of the current heap, so that assertion truth is closed under heap 
extension [6]. In examples, we will sometimes write e.f 1-^ _ as a shorthand for 3x. e.f 1-^ x. 



However, we assume that all applications of environments are well-defined; i.e., whenever we write a{x), 
that X e dom{a). This assumption is justified so long as the program and specifications are type-checked 
appropriately. 
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2.1.1. Assume/Assert. Verification in Boogie2 [9] and related technologies uses two com- 
mands commonly to encode verification: assume Ai and assert Ai. The first allows the 
verification to work forwards with the additional assumption of Ai , while the second requires 
Ai to hold otherwise it will be considered a fault. These can be given weakest precondition 
semantics of: 

wp(a.ssert Ai,A2) - Ai a A2 wp^assume Ai,A2) - Ai ^^ A2 

From a verification perspective, these primitives can be used to encode many advanced lan- 
guage features. For example, in a modular verification setting with a first-order assertion 
language, a method call can be encoded by a sequence assert pre; havoc(ifeap); assume post, 
in which pre and post are the pre- and post-conditions of the method respectively, and 
havoc(.) is a Boogie command that causes the prover to forget all knowledge about a 
variable/expression. 

With separation logic, there are two forms of conjunction and implication, the standard 
(additive) ones a and -^, and the separating (multiplicative) ones * and -*. This naturally 
gives rise to a second form of assume and assert for the multiplicative connectives (assume* 
and assert*), with the following weakest precondition semantics: 

u;p(assert* Ai, A2) - Ai * A2 ^^(assume* Ai, A2) - Ai^ A2 

These commands can be understood as follows: assert* Ai removes a heap fragment 
satisfying Ai, and assume* Ai adds a heap fragment satisfying Ai. In a verification setting 
where assertions express permissions as well as functional properties, these can be used 
to correctly model the transfer of permissions when encoding various constructs. In a 
separation logic setting, a method call can be encoded as assert* pre; assume* post. 

In Chalice, which handles an assertion logic based on implicit dynamic frames, func- 
tional verification is based on two new commands: exhale Ai and inhale Ai, which are also 
given an intuitive semantics of removing and adding access to state. One outcome of this 
paper is to make this intuitive connection between exhale/inhale and assert*/assume* 
formal, by defining a concrete and common semantics which can correctly characterise both 
assertion languages. 

2.2. Chalice and Implicit Dynamic Frames. The original concept of Dynamic Frames 
comes from the PhD thesis of Kassios [H |7]- The idea is to tackle the frame problem 
by allowing method specifications to declare the portion of the heap they may modify (a 
"frame" for the method call) via functions of the heap. The computed frames are therefore 
dynamic, in the sense that the actual values determined by these functions may change as 
the heap itself gets modified. Implicit dynamic frames [181 ttZ] takes a different approach 
to computing frames - a first-order logic is extended with a new kind of assertion called an 
accessibility predicate (written e.g., as acc{x.f)) whose role is to represent a permission to a 
heap location x.f . In a method pre-condition, such an accessibility predicate indicates that 
the method requires permission to x.f in order to be called - usually because this location 
might be read or written to in the method implementation. By imposing the restriction that 
heap dereference expressions (whether in assertions or in method bodies) are only allowed 
if a corresponding permission has already been acquired, this specification style allows a 
method frame to be calculated implicitly from its pre-condition. 

Chalice [10] is a tool written for the automatic verification of concurrent programs. It 
handles a fairly simple imperative language, with classes (but no inheritance), and several 
interesting concurrency features (locks, channels, fork/join of threads). The tool proves 
partial correctness of method specifications, as well as absence of deadlocks. The core of the 
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methodology is based on the imphcit dynamic frames specification logic, using accessibility 
predicates to handle the permissions necessary to avoid data races between threads. 

In this paper we ignore the deadlock-avoidance aspects of Chalice, and focus on the 
aspects which guarantee functional correctness. Verification in Chalice is defined via an 
encoding into Boogie2, in which two intermediate auxiliary Chalice commands exhale p and 
inhale p are used. These commands reflect the removal and addition of permissions from 
the state, as well as expressing assertions and assumptions about heap values. For example, 
method calls are represented by exhale pre; inhale post. The command exhale pre has 
the effect of giving up any permissions mentioned in accessibility predicates in pre, and 
generating assert statements for any logical properties such as heap equalities. Dually, 
inhale post has the effect of adding any permissions mentioned in post and assuming any 
logical properties. 

Definition 2.4 (Our Chalice Subsyntax). Expressions E, boolean expressions B and as- 
sertions p in our fragment of Chalice are given by the following syntax definitions: 

E ::- x\n\ null | E.f 

B ::= E = E\E*E\B*B 

p ■.:- B\ acc{E.f,-K)\p * p\B ^ p 

Note that Chalice actually uses the symbol for logical conjunction (a or &&) where we write 
* above. However, in terms the semantics of the logic this is misleading - in general it is not 
the case that p /\p (as written in Chalice) is equivalent to p. Chalice's conjunction treats 
permissions multiplicatively, that is, acc{x.f, 1/2) a acc{x.f, 1/2) is equivalent to acc{x.f, 1), 
while acc{x.f, 1) a acc(x.f, 1) is actually equivalent to falsity (it describes a state in which 
we have more than the full permission to the location x.f). As we will show. Chalice 
conjunction is actually directly related to the separating conjunction of separation logic, 
hence our choice of notation here. Where we use the symbol a later in the paper, we mean 
the usual (additive) conjunction, just as in SL or first order logic. 

Chalice performs verification condition generation via an encoding into Boogie2, which 
makes use of two special variables V and T-L. The former maps object-identifier and field- 
name pairs to permissions, in this instance a fractional permission, and is used for bookkeep- 
ing of permissionqj. The latter maps object-identifier and field-name pairs to values, and is 
used to model the heap of the real program. These maps can be read from (e.g., V[o,f]) 
and updated (e.g., V[o, /] '■- 1) from within the Boogie2 code, which allows Chalice to main- 
tain their state appropriately to reflect the modifications made by the source program. In 
particular, the inhale and exhale commands have semantics which include modifications 
to the V map, to refiect the addition or removal of permissions by the program. 

The critical aspect of Chalice's approach to data races, is to guarantee that assertions 
about the heap are only allowed when at least some permission is held to each heap location 
mentioned. This means that assertions cannot be made when it might be possible for other 
threads to be changing these locations - all logical properties used in the verification are 
then made robust to possible interference. This is enforced by requiring that assertions 
used in verification contracts are self-framing [7j - which means that the assertion includes 
enough accessibility predicates to "frame" its heap expressions. For example, the assertion 



Technically, one should think of P as a ghost variable, since it does not correspond to real data of the 
original program. 
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x.f = 5 is not self-framing, since it refers to the heap location x.f without permission. On 
the other hand, {acc{x.f, 1) * x.f - 5) is self- framing. 

3. Total Heaps Permission Logic (TPL) 

3.1. Race- free Assertions. In order for a static verification tool to be able to reason 
soundly about concurrent programs, a crucial aspect is to be able to give a well-defined 
semantics to the assertion language employed. Since other executing threads may interfere 
with the execution of code being verified (for example, by writing to heap locations which 
the current program also accesses; a data race), assertions which describe properties of 
the heap do not, in general, even have a well-defined semantics. For example, consider the 
simple assertion x.f > 5. Such an assertion only has a well-defined semantics (at verification 
time) if, at runtime, the heap location x.f is guaranteed not to be subject to a data race. 
If another thread writes to this location at the "same time" as the assertion is checked to 
hold, the truth of the assertion becomes non-deterministic, depending on the interleaving 
of the memory accesses by the two threads. This makes any reasoning about expressions 
such as x.f as expressions in a logical sense unreliable: assertions such as x.f > x.f could 
even be "true" at runtime, due to interference; a behaviour which any useful verifier will 
struggle to mimic accurately. 

For these reasons, verifiers for concurrent programs need to use a verification method- 
ology and assertion language whose semantics avoids data races. Both separation logic and 
implicit dynamic frames attack this problem by employing notions of (fractional) permis- 
sions. Permissions permit access to particular heap locations, and can be passed around 
between threads, with the crucial property that a thread is only allowed to write to a 
heap location if no other thread holds a permission to the location. By imposing suitable 
restrictions on the assertion language used for verification, one can then guarantee a data- 
race-free semantics by passing permissions explicitly along with heap-dependent assertions, 
and enforcing the policy that an assertion may only mention a heap location if it also carries 
at least some permission to that location. In implicit dynamic frames, these permissions 
are represented by "accessibility predicates" acc{E.f,Tr), denoting vr permission to location 
E.f. For example, while the assertion x.f > 5 does not have a well-defined semantics on 
its own, the compound assertion acc{x.f,7T) * x.f > 5 does - the presence of the permission 
to the location x.f guarantees that its value in the heap is robust to interference. More 
generally, any heap-dependent expression in an assertion can only be given a meaning by 
its value being fixed with a permission to the appropriate heap locations. A "self-framing" 
assertion is one which is only satisfied in states which carry enough permissions to fix the 
values of all heap locations on which it depends; not all assertions are self-framing (x.f > 5 
is not), but only such assertions can generally be used for verification contracts. The fact 
that, in implicit dynamic frames, the permission to access a heap location can come from 
a different part of an assertion (e.g., conjunct) than the constraints on the value at that 
location, is the main challenge in giving a correct semantics for the logic. 

The same challenge does not arise in separation logic, which does not allow heap- 
dependent expressions, instead providing the special "points-to" predicates as the sole way 
of handling heap accesses. A "points to" predicate ei.f i-^ 62 plays a dual role in the 
logic - it provides knowledge of the value 62 of the heap location ei./, and it also provides 
a permission vr to this location, making the value robust to interference. Because there 
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is no other way to refer directly to heap locations, one cannot ever talk about the value 
of a location without having some permission to that location. The observation of this 
dual role leads naturally to the idea of encoding separation logic assertions into implicit 

TV 

dynamic frames by replacing every points-to predicate ei.f i-s- 62 by a permission and a 
heap-dependent expression: acc(ei./, tt) * ei.f - 62- This observation can be used as the 
basis of a comparison and translation between the two logics. In fact, our approach is to 
give a uniform semantics for a logic which subsumes both separation logic and implicit 
dynamic frames constructs, and then show that the primitive constructs of the former can 
be represented in the latter. 

3.2. Overview of Our Approach. In order to formally relate the two paradigms of sep- 
aration logic and implicit dynamic frames, we define a new logic which subsumes both 
syntaxes. We call this logic Total Heaps Permission Logic {TPL). This logic includes as 
primitives both the "points-to" predicates of separation logic, and the "accessibility pred- 
icates" of implicit dynamic frames, along with an expression syntax which permits heap- 
dependent expressions. As we will show formally in this paper, this is actually redundant; 
one can encode the SL-style primitives into implicit dynamic frames. However, our TPL 
serves as a uniform basis for comparing these two logics. We also include all of the common 
connectives used in separation logic, which subsume those typically implemented in tools 
(based on either approach). 

Our approach is to define a semantics for TPL, based on states consisting of a stack (giv- 
ing meaning to variables), a total heap, and a permissions mask (defining which locations in 
the total heap have reliable values for the current thread) . Because our semantics is defined 
compositionally, it actually gives a meaning to assertions which are not (by themselves) 
well-formed in all states. As discussed above, assertions which mention heap-dependent 
expressions such as x.f > 5 are not necessarily well-defined when considered in isolation. 
However, because the IDF approach allows for such assertions as subform,ulas of a well- 
formed assertion, and because we want to define a compositional semantics for our logic, we 
are obliged to give such assertions a semantics, even though (by themselves) they cannot 
be used in either approach. In some sense, by encompassing both SL and IDF, we actually 
make our assertion logic too general. The presence of ill-formed assertions in our general 
logic means that (just as in implicit dynamic frames) we will later have to introduce ad- 
ditional concepts such as self-fram,ing assertions, in order to identify the fragments of our 
logic which are well-behaved. 

Definition 3.1 (Total Heaps Permission Logic). We define the expressions E and assertions 
A of Total Heaps Permission Logic {TPL), by the following grammar (in which n stands 
for any integer constant): 

e "■- x\ null I n 
E ::= e\E.f 
A ::= E = E\E.f>!^E\A*A\A^A\AAA\AvA\A^A\acc{E.f,TT)\3x.A 

Note that the syntax of separation logic assertions (ranged over by o; see Definition 12. ip 
is a strict subset of the TPL assertions A defined above. The syntax of separation logic 
expressions e is also a strict subset of TPL expressions E. Similarly, the syntax of Chalice 
assertions (cf. Definition 12. 4p is a subset of our TPL syntax. 
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Our strategy for the rest of the paper is as fohows. We wih first investigate carefully 
how to define a suitable total-heaps-based semantics for TPL. In particular, we spend con- 
siderable attention on the definition of cases which correspond to modelling state extension 
(the implication and magic wand connectives). 

We will then show that, for the subsyntax which corresponds to separation logic asser- 
tions, our total heaps semantics coincides with the traditional partial-heaps-based semantics 
of the logic (cf. Definition I2.3p . Thus, we define a total-heaps model for separation logic, 
which is consistent with the standard model. We will further show that the subsyntax of 
TPL which covers SL assertions can be mapped into the IDF subsyntax, preserving the se- 
mantics of the assertions. Thus, we can faithfully map from the SL world to an IDF-based 
assertion language. 

In Section UJ we will show how to connect our TPL model to the Chalice verification 
methodology. In particular, we will show that weakest pre-conditions as calculated by Chal- 
ice for a first-order theorem prover, are equivalent to weakest pre-conditions as calculated 
in separation logic. By combining this result with our ability to faithfully reflect traditional 
SL semantics in TPL, we can show the equivalence of the overall approaches. In particular, 
for the subsyntax of SL typically supported by automatic tools, we can show that we can 
encode programs with SL specifications as programs with IDF specifications, and compute 
equivalent weakest pre-conditions for direct verification by a theorem prover. 

3.3. Total vs Partial Heaps. One important technical challenge faced in defining a se- 
mantics for both logics, is that the semantics of separation logic is defined using partial heaps 
(representing heap fragments, which can be split and recombined), while the implementa- 
tion of implicit dynamic frames employs a mutable total heap, and a separate permissions 
mask to keep track of the permissions held in the current state. In order to make a uniform 
semantics for the two logics, we needed to bridge this gap between the two paradigms. We 
achieve this by employing only total heaps and permission masks, and using these to define 
a semantics that faithfully captures the traditional partial-heaps-based model for the SL 
subsyntax. 

Definition 3.2 (Total Heaps and Permission Masks). A total heap H is a total map from 

pairs of object-identifier o and field-identifier / to values v. Heap lookup is written H[o, /]. 

We write field location to mean a pair of object-identifier and field-identifier. 

A permission mask P is a total map from pairs of object-identifier and field-identifier to 

permissions. Permission lookup is written P[o,f]. 

We write Pi £ P2 for permission mask extension, i.e., V(o, /). Pi[o,f] < P2[o, f]. 

We write for the empty permission mask; i.e., the mask which assigns to all locations. 

We write rds{P) for the set of field locations with non-zero permissions in P, that is, 

{(o, /) I P\^o, /] > 0}. We write rds(P) for the complement of this set of locations. 

A state is a triple {H,P,a) consisting of a heap, a permission mask and an environment a. 

Two permission masks Pi and P2 are compatible, written Pi 1 P2, if it holds that: 

V(0,/). Pi[0,/]+P2[0,/]<l 

The combination of two permission masks, written Pi * P2 is undefined if Pi and P2 are not 
compatible, and is otherwise defined pointwise to be the following permission mask: 

(Pl*P2)[0,/]=Pi[0,/]+P2[0,/] 
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We define the greatest lower bound of two masks: 

(PinP2)[o,/] = min(Pi[o,/],P2[o,/]) 
and the least upper bound of two masks: 

(PiuP2)[o,/] = max(Pi[o,/],P2[o,/]) 

Finally, we define a partial operation of subtraction on permission masks, Pi - P2- It is 
defined if and only if P2 ^ Pi, and is defined by: 

(Pl-P2)[0,/] = (Pi[0,/]-P2[0,/]) 

The crucial observation relating our logic to SL is that, while we will use total heaps in 
our semantics, we will actually only allow assertions to depend on a subheap; those locations 
which the current thread can "read" ; i.e., that it has at least some permission to. We employ 
the notation rds(P) (where P is a permission mask), to talk about this set of locations. 
We will design our semantics such that, for all separation logic assertions, their semantics 
in a state with heap H and permissions P corresponds to their traditional semantics using 
the (partial) heap obtained by restricting H to just the domain rds(P) (this restriction is 
formally written as H\P later). This idea reflects the intuition that all other locations in 
the (total) heap H have unreliable values (which may be subject to interference from other 
threads); only assertions which are appropriately "framed" by sufficient permissions, can 
be relied upon in a concurrent setting. 

When we want to explicitly express that an assertion is robust to interference from 
other threads, we can do so by considering the evaluation of the assertion in all heaps which 
agree with the current one on the locations which the current thread can read, according to 
the permissions mask. Effectively, we introduce a "havoc" of all of the locations to which we 
hold no permission, and check that the assertion is still guaranteed after all such locations 
are assigned arbitrary values. In order to define this operation, we introduce the concept of 
two heaps "agreeing" on the permissions in a mask (as well some other heap constructions) 
as follows: 

Definition 3.3 (Total Heap Operations). Two heaps Hi and H2 agree on a set of object 

F 

field locations F, written Hi = H2, if the two heaps contain the same value for each location, 
i.e., 

H1IH2 ^^ V(o, /) 6 F. Hi[o, /] = H2[o, /] 

p 
Two heaps Hi and H2 agree on permissions P, written Hi = H2, if the two heaps agree on 

all field locations given non-zero permission by P, i.e., 

p rds(P) 

Hi = H2 <=^^ Hi = H2 

The restriction of H to P, written H\P is a partial fractional heap (Definition 12. 2p . defined 

by: 

dom{H\P)^rds{P) 

V(o,/) € domiHlP). iH\P)[oJ] = {H[oJlP[oJ]) 

The conditional merge of Hi and H2 over a set of locations F, written (P ? Hi : H2) is a 
total heap defined by: 



iF?Hi:H2)[o,f]^\ ^f^{] ^/(°'/)^^ 
^ ^ ^/L './J \ H2[o,f] otherwise 
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We write {P ? Hi : H2) as a shorthand for {rds{P) ? Hi : H2). 

We can make use of these operations on total heaps to define what it means for an 
assertion to be stable in a certain state (which intuitively means that its truth only depends 
on heap locations to which it also requires permission to be held). 

Definition 3.4 (Interference, Stability, Self- Framing and Pure Assertions). Given a heap 
H and a permissions mask P, the interfered heaps from H,P is a set of heaps defined by: 

interfere(i7,P) = {H' \H' = H} 

A set of states S is stable with extra permissions P, written as stable-withp (5), if the extra 
permissions are sufficient to make the set closed under interference; i.e., 

stable-withp (5) ^ {\f{H, P',a)e S. ^H' e interfere(if , P * P').{H\ P' , a) e S) 

A set of states S is stable, written as 513616(5), if the set is closed under interference; i.e., 

stable(5) <=> stable-with0 (S) 

We write ([A)) to denote the set of states in which the assertion A is true (the actual 
definition of our semantic judgement H,P,a \=tpl ^ will come later). 

iA))^{{H,P,a)\H,P,a^rPLA} 

An assertion A is self-framing if and only if the set of states satisfying it is stable; i.e., if 
stable(((yl))) is true. 

An assertion A is pure if and only if it doesn't depend on permissions, i.e., 

yH,P,a. {{H,P,a) e (A)) ^ iH,0,a) e (A))) 

Intuitively, self- framing assertions are robust to arbitrary interference on the rest of the 
heap. For separation logic assertions, this property holds naturally, since it is impossible 
for an assertion to talk about the heap without including the appropriate "points-to" pred- 
icates, which force the corresponding permissions to be held. This is shown as a corollary 
(Corollary I3.2ip of the main theorem in this section. 

On the other hand, pure assertions which depend on heap values (such pure assertions 
are not supported in separation logic, but are employed in implicit dynamic frames) are 
naturally not self- framing. An assertion such as x.f = 5 is considered pure (it does not 
mention any permissions or points-to predicates); it will be true in a state where we have 
no permissions, but in which the value of the heap location x.f is 5. Nonetheless, such a 
state is not stable; when we allow for interference, the value of x.f can be modified, and 
the truth of the assertion need not be preserved. 

3.4. Pure Assertions and Separating Conjunction. Our assertion language includes 
the separating conjunction A*B of separation logic (recall Definition I2.3p . and permissions 
can be distributed multiplicatively across this conjunction. In particular, our semantics 
needs to enforce, for an assertion A* B, that the permissions required are the sum of the 
permissions required in each of A and B; we can model this by checking that we can split 
the permissions mask into two parts, using them to judge the respective conjuncts. A 
question which then arises is, what should happen to the heap when judging the separating 
conjunction? In the traditional separation logic semantics, which uses partial heaps, since 
the heap values and "permissions" are both tracked together in partial heap chunks, it is 
natural to divide up the partial heap in this case. In the case of partial fractional heaps, the 
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two resulting heap chunks can stih share values, but only to those locations in which both 
parts hold some permission. With a total-heaps semantics, we have a choice as to how to 
reflect this "splitting"; we can either only split the permissions mask across the conjuncts, 
but leave the heap unchanged, or we can also try to simulate the splitting of heap values, 
say, by throwing away information about certain heap locations when judging the individual 
conjuncts. By looking only at the separation logic fragment of our logic, we cannot see a 
clear advantage either way; since all assertions in that logic can only read the same heap 
values that they provide permission to, the question of what should be done with other heap 
values is irrelevant there (and a partial heaps model gives no reasonable way to even phrase 
this decision, since it conflates the notions of permission to read a location, and the action 
of actually reading it). However, this question is pertinent in the case of implicit dynamic 
frames, where we have heap-dependent expressions which can occur in pure assertions. 

For pure assertions, we want the property that, even when mentioned in a separating 
conjunction, they do not actually extend the "heap footprint" of what the assertion requires. 
In particular, we would like to retain the law (which holds in intuitionistic separation 
logic), that Ai * A2 is equivalent to Ai a A^ when either of the two conjuncts are pure. In 
particular, this motivates that pure assertions should be allowed to depend on the same 
state as assertions they are conjoined with. Of course, in separation logic, where pure 
assertions are syntactically restricted to not mention the heap, this "same state" just means 
the environment a. But in implicit dynamic frames, we would like heap-dependent pure 
assertions to be allowed to depend on the same heap values that other conjuncts make 
readable by providing permissions; when interpreting assertions such as acc(x.f) * x.f -- 5 
this is exactly what we want. 

For these reasons, in our total-heaps model, we deflne the semantics for separating 
conjunction with a split of the permissions mask, but no change to the heap. This is 
concretely achieved by checking that we can split P into two pieces, each of which are 
sufficient to judge the two sub-formulas; the particular definition (which will be provided 
as part of the definition of our full semantics later) is: 

H,P,a\=TPLAi *A2'^=^ 

3PuP2.{P = Pi*P2 A H,Pua^^,,Ai A H,P2,a\^rPLA2) 

In the case of some implicit dynamic frames assertions, this rule for treating separating 
conjunction may "separate" a heap-dependent expression from the permission used to fix 
its values. For example, consider a permissions mask P in which we have full permission 
to the location x.f (and no other permissions), and a heap H in which x.f has the value 
5. The assertion acc{x.f, 1) * x.f = 5 is true in such a state. But, in treating the separating 
conjunction, we are forced to split P - Pi*P2 and put all permission to x.f into Pi, in order 
to satisfy the left conjunct, leaving P2 to be the empty permissions mask. The fact that 
the sub- formula x.f - 5 is eventually judged in a state in which we hold no permissions to 
the relevant location x.f is not a problem - we only need to be sure that permission to this 
location is held somewhere in the whole assertion, and not in this particular sub-formula. 
That is, the property of an assertion being well-formed (self-framing) is not enforced for its 
sub-formulas, but only for the assertion as a whole. 

3.5. Modelling Partial Heap Extensions. One of the most difficult technical challenges 
in the design of our semantics was correctly handling the magic wand (-*) and im.plication 
(->) connectives. In the traditional partial heaps semantics of separation logic (Definition 
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I2.3P , the semantics of both of these connectives involve considering extensions of the current 
heap. In a semantics based on partial heaps, this is rather straightforward, but with total 
heaps and permission masks it is not so obvious how to model "heap extension" for these 
connectives. 

One simple option is just to consider permission extension - leave the heap unchanged 
but consider all larger permissions masks. The problem with this rather-simplistic proposal 
is that it attaches significance to pre-existing values in our total heap even in the case where 
we previously had no permission to them. Since such values are generally meaningless, this 
doesn't give a well-behaved semantics. When one compares with the operation of extending 
partial heaps, which we are trying to simulate appropriately, it can be seen that the approach 
doesn't work; when a new heap location is added in a partial heaps model, it can take any 
value, whereas our total heap only has one value at any one time. 

In order to avoid tying ourselves down to the values in our total heaps which are not 
necessarily currently meaningful, we can instead model heap extension by adding on extra 
permission and then havocing (i.e., assigning arbitrary values to) the heap locations to 
which we have newly acquired permission. In this way, we make the original heap values 
stored at these locations irrelevant, and correctly reflect the general operation of adding on 
a fresh heap location in a partial-heaps-based model. To this end, we define several variants 
of this idea of how to model state extensions. The differences in the variants come from 
two decisions. Firstly, when we add on new permission, do we havoc the heap values at all 
locations to which we previously held no permission (we call this a global havoc), or only 
those which the permissions newly allow us to read (we call this a local havoc)? Secondly, 
when we define the extensions of a state, are we interested in resulting states in which we 
combine the new permissions with those we held previously, or do we just want to describe 
the "extra" disjoint part of the state (using the new permissions, but not the old ones)? 
These questions give rise to the following four concepts: 

Definition 3.5 (State Extensions). The set of locally-havoced extensions of a state (H, P, a) 
is the set of states in which extra permission is added, and possibly-new values are assigned 
to the newly-readable locations, i.e.,: 



. . , , s , , , rds(P)urds(P') 

\oca\Exts{H, P, a) ^{{H',P*P', a) \P'lP A H' = H} 

The set of glohally-havoced extensions of a state {H, P, a) is the set of states in which extra 
permission is added, and possibly-new values are assigned to the previously-unreadable 
locations, i.e.,: 

globalExts(if , P, a) = {{H', P * P', a) \ P'lP a H' e interfere(iJ, P)} 

The set of locally-havoced disjoint extensions of a state (H,P,a) is the set of states in which 
extra permission is added, possibly-new values are assigned to the newly-readable locations, 
and only the extra permissions are kept in the results, i.e.,: 



.,,,.., , rds(P)urds(P') 

\oca\D\5iExt5{H, P, a) ^{{H',P', a) \P'lP A H' = H} 

The set of glohally-havoced disjoint extensions of a state {H, P, a) is the set of states in which 
extra permission is added, possibly-new values are assigned to the previously-unreadable 
locations, and only the extra permissions are kept in the results, 

globalDisjExts(if,P,cj) ^{(H',P',a) \ P' iP a H' e \nterfere{H, P)} 
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As we will see later in this section, we have uses for all of these notions of state extension, 
and choosing the appropriate one at various points is important for our logic to have the 
right semantics. 

3.6. Minimal Extensions and Implication. We now consider how to design an appro- 
priate semantics for implication in our logic, which should manage to work appropriately 
both for the separation logic and implicit dynamic frames fragments. Recall that, in the 
traditional semantics of (intuitionistic) separation logic (cf. Definition 12. 3p . an implicative 
assertion oi -> a2 is true if, in all extensions of the current heap, whenever oi is true then 02 
is also true. Therefore, we need to be careful to appropriately model this idea of extending 
the current state when judging an implication. We use three examples here to guide the 
discussion of our design: 

Ex. 1: x.f >-^ _* (x.f >-^ 5 ->■ y.g 1-^ -) 

Ex. 2: acc{x.f,l) * {{acc{x.f,l) * x.f - 5) ->■ acc{y.g,l)) 

Ex. 3: acc{x.f, 1) * (x.f = 5 ->• acc{y.g, 1)) 

In (intuitionistic) separation logic, the first formula is actually only true in states which 
have (full) permission to both locations x.f and y.g. The reason is that, in judging the 
implication subformula, we have to consider all extensions of the provided state. Unless the 
state in which we judge the implication has at least some permission to x.f (and gives a 
value other than 5 to this location), then when we consider all extensions of the heap we 
must consider the possibility that the new heap stores a value 5 at this location. Since the 

left-hand conjunct x.f i-s- _ requires full access to x.f, no permission to this location can be 
left over when judging the implication on the right. The formula can be formally shown to 

be equivalent to x.f i-^ _ * y.g i-s- _ according to the standard semantics of Definition 12.31 as 
follows: 

Proof. It suffices to show 

h,a^sL{x.f^5 ^ y.g^_)A{lxjaJ)tdom{h)^h{h[ly}a,f])^l 

We can prove this by contradiction. We assume (Ho-,/) i dom{h) and -ii(^[[[yI<T,/]) * 1, 
and consider the semantics of the implication: 

yh.(h 1 /i A h*h ,a \=g]^ x.f >-> 5 ^> h*h ,a l^sLV-g '~^ -) 
By choosing h' to be the heap containing x.f with full permission and value 5, and with 
no other location in its domain, we deduce a contradiction, since h*h',a \=sl x.f i-s- 5 does 
hold, while h*h',a t^sL y-g '^ - does not. □ 

The second example formula listed above is actually a translation of the first into im- 
plicit dynamic frames: it is only true in states which have (full) permission to both locations 
x.f and y.g in our semantics, and for the same reasons as the previous example. However, 
this assertion goes beyond the syntax of implicit dynamic frames typically supported by 
tools; we will discuss this later. The third formula should mean: we have (full) permission 
to access x.f, and if its value is currently 5 then we also have full access to y.f. This kind of 
assertion is already supported by the Chalice tool, and has exactly that intuitive meaning. 
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We need to decide which of the notions of state extension, as given in Definition 13.51 we 
should use to define our semantics for imphcation. Since, in the traditional separation logic 
semantics, the two sides of an implication get judged in the whole resulting heap (after the 
state extension), the latter two "disjoint" variants from the definition are not appropriate. 
However, we still have the choice between considering locally-havoced or globally-havoced 
extensions. Let us consider the (slightly-simpler) option of using globally-havoced exten- 
sions. This leads us to the following candidate semantics for implication: 

\IP\H'.{P'lP a H' = H a H',P*P',a^TPLAi^ H',P * P',a \=tpl A2) 

This definition gives the correct meaning to our first example assertion: since we judge the 
implication in a state in which we have no permission to x.f (all such permission has to 
be given to the left-hand side of the *), we have to consider heaps H' in which x.f has 
taken on arbitrary values. In particular, there are some such heaps in which x.f has the 
value 5, and this forces the requirement that we must also have full permission to y.g, just 
as in the traditional separation logic semantics. In fact, using locally-havoced extensions 

rds{P)urds{P') 

in our definition (i.e., changing the constraint on i:? to be i/ e H), would also 

give the right semantics; since we are still required to consider the possibility that we add 
on permission to x.f in the extra permissions P' , and in this case, it is allowed for H' to 
differ with H on x./'s value. In fact, it is generally the case that the choice of locally- 
havoced or globally-havoced extensions makes no difference when we consider separation 
logic assertions. Exactly the same arguments (and resulting semantics) apply to the second 
of our example assertions. 

However, the candidate definition above does not in general have the correct meaning for 
implicit dynamic frames. In particular, our third example formula does not have the correct 
semantics. The change of heap forces us to consider extensions in which we alter the value of 
x.f in the heap, and thus our third example also becomes equivalent to acc{x.f) *acc{y.f), 
since the value restriction for x.f is made irrelevant by this potential change. To see exactly 
what we need here, we need to again consider carefully the meaning of x./ in a pure assertion. 
When such a heap-dependent expression occurs on the left of an implication, its intended 
meaning depends on where in the assertion we find permission to the heap location. There 
are two important questions: does a permission to this location also occur on the left of the 
implication (e.g., in our second example formula), and does a permission to this location 
occur elsewhere in the assertion? If neither occurs, i.e., there is no permission guaranteed 
to x.f anywhere in the assertion, then the expression is meaningless; we will consider this 
case ill-formed, and so can give it any semantics. If a permission to x.f occurs on the left of 
the implication in question (as in our second example formula), then it is possible that the 
value of the heap location is fixed as part of the heap extension, and therefore we should 
allow this value to change as part of the extension, as in our last candidate semantics above. 
In particular, if we judge the truth of the implication in a state in which we start off with 
no permission to the location x.f, then it is just by adding the new permission required on 
the left of the implication that we can read from the location, and so we should consider 
that the value may be different from that in our original state. Finally, if a permission does 
not occur on the left of the implication, but does occur elsewhere in the assertion (as in our 
third example formula acc(x./, 1) * (x.f - 5 ^ acc(y.g,l))), then we should not allow the 
value of x.f to change when judging the implication; its value must be determined by the 



THE RELATIONSHIP BETWEEN SEPARATION LOGIC AND IMPLICIT DYNAMIC FRAMES 17 



permission outside of the implication, and so should not be allowed to change when judging 
it. 

This analysis leads us to the conclusion that, in our candidate semantics above, we are 
considering too many extensions. We need to only consider the minimal extensions of the 
state to make the left of the implication true; in particular, we should only add permissions 
if the left-hand side of the implication explicitly requires them, and only allow values to 
change at those locations to which we added new permission. To this end, we provide a 
definition to capture the idea of a m,inimal perm,ission extension, which expresses that the 
extra permission we add on does not make any more locations readable than is necessary 
to make the assertion we are concerned with true: 

Definition 3.6 (Minimal Permission Extensions). Starting from a state {H,P,a), we say 

that P' is a minimal permission extension of (H,P,cr) to satisfy A, which we write as 
(H,P,a) < P' t^TPL A, as described by the following formula: 

{H,P,a) <iP' \=TPi^A <^^ H,P*P',a\^TPLA A 

MP" . p" cp' A rds{P") c rds{P') ^ H,P* P", aifrpLA 

We abstract over the precise permission values in this minimal extension (by focusing on 
which locations are readable, using the rds() concept), in order to avoid imposing restrictions 
on the underlying permissions model (in particular, our definition does not depend on there 
being a greatest lower bound for the acceptable permission values to satisfy an assertion). 
That is, a minimal permission extension can add on more permission than the assertion 
really requires, so long as it does not increase the set of locations accessible in the permissions 
mask by more than necessary. 

Using the concept of a minimal permission extension, along with the notion of locally- 
havoced extensions, we can finally define the semantics for implication which works for our 
general logic: 

H,P,ai^TPLAi ^A2^^^ 

\/{H', P * P', a) e localExts(i7, P, a) ■ (H', P, a) < P' ^tpl Ax ^ H',P* P', a ^tpl ^2 

This definition can be informally understood as follows: Ai -^ A2 is true in a state if, for all 
minimal extensions (and corresponding havocs) of the state such that Ai holds, A2 must 
hold as well. The extension of the state is modelled by adding on the permissions P', and 
allowing the values of the heap to be modified in exactly the locations which become newly- 
readable by adding on these permissions. Furthermore, we insist on the permissions added 
being minimal in the locations which they make readable, while still satisfying Ai. 

This definition correctly captures that we sometimes need to consider changing values 
in the heap when judging an implication, but only when it is permissions in the left-hand 
side of the implication that allow the reading of the locations. For example, using the 
definition above, the third example formula acc{x.f,l) * (x.f = 5 -> acc{y.f,l)) is true 
exactly in a state where we have (full) permission to x.f, and where, if the current value 
of x.f is 5, we also have (full) permission to y.f. On the other hand, the second formula 
acc{x.f, 1) *{acc{x.f, 1) *x.f = 5 ^ acc{y.f, 1)) is true exactly when we have full permission 
to both x.f and y.f - this is because the implication is evaluated in a state with no permission 
to x.f, and when our semantics considers extending this state by just enough permission to 
make the left-hand side true, we have to allow for the possibility that this makes x.f newly 
readable, and thus, makes it take on a new value. 
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Although we did not discuss the semantics of the magic wand connective (-*) in the 
above, similar considerations lead us to also use the concept of minimal extensions in its 
definition. The formal definitions of our semantics come in the following subsection. 

3.7. Magic Wand Semantics. We design our semantics for the "magic wand" connective 
-* along similar lines to that for implication. In particular, if one writes a pure assertion Ai 
on the left of a wand formula Ai -* A2, then we do not want the semantics of the assertion 
to consider havocing heap locations that Ai refers to. Put another way, for pure Ai we 
would like the property that Ai -* A2 is equivalent to Ai -^ A2, which, as we have already 
decided, should have a semantics which allows Ai to refer to heap values in our original 
state, unless extra permission to those locations is added in Ai. This reasoning leads us to 
again employ our notion of minimal permission extension, but this time we complement it 
with locally-havoced disjoint extensions: 

H,P,a\^j,pi^Ai-*A2 -^^ 

V(i7', P', a) e localDisjExts(//, P, a).(H',0, a) < P' ^^pl ^1 ^ H',P* P' , a \=tpl ^2) 

3.8. Total Heaps Semantics for TPL. We can now define our semantics for assertions. 
We make use of the concept of a minimal permission extension (Definition 13. 6p to describe 
minimal extensions to the whole state when judging implications and magic wand assertions: 

Definition 3.7 (Total Heap Semantics for TPL). We define validity of TPL-assertions with 
respect to a specified total heap H and permission mask P recursively on the structure of 
the assertion: 

H,P,a^rPLE.f^E' ^^ P[lE}^,Hj]>7r a H[IE}^,h , f] - IE%,h 

H,P,a\^TPr^Ai*A2 -^^ 3Pi,P2.iP^Pi*P2 A H,Pi,a\^TPLAi a H,P2,a \=tpl A2) 

H,P,a\^TPLAi^A2 ^^^ y (H',P', a) €\oca\D\siExts{H,P, a). 

{H',0,a)<P'^rPLAi ^ H',P*P',a^rPLA2 

H,P,a\^TPLAiAA2 ^^^ H,P,a\^TPLAi a H,P,a\^TPLA2 

H,P,a\^TPLAivA2 <^=> H,P,a\^TPLAi v H,P,a\^TPLA2 

H,P,a\^TPLAi->A2 ^^^ y{H',P*P',a)€\oca\Exts{H,P,a). 

{H',P,a)<P'^rPLAi ^ H',P*P',a^rPLA2 
H,P,a^PP,acciE.f,7r) ^^ P[[^la,H, /] > vr 

H, P,a^rp,E^E' ^^ lEj^^H = IE%,H 

H,P,a l^TPL^x. A <^^ 3v.(H,P,a[x ^v]\^tplA) 

Note the similarity between the definitions for magic wand -^ and logical implication -^. 
This is because both cases involve heap extension in the partial heap semantics; in our total 
heap semantics we model heap extension by enabling the assignment of new arbitrary values 
to the part of the heap we have added permissions to. 

Evaluation of TPL expressions depends on a given environment and heap, and is defined 
by: 

lxh,H = ct{x) lnj^,H = n {E./j^^h = H[IEJ„,hJ] [null],,^ = null 
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The meaning of separation logic expressions is preserved (and is independent of the 
heap), as the foUowing lemma shows: 

Lemma 3.8. \/e,a,H. le}a,H - 1^}^ 

The main aims of the rest of this section are to show that our assertion semantics also 
preserves the original meaning of separation logic assertions. 

3.9. Strengthening and Weakening Results. In this subsection, we present some of the 
technical properties which describe how our semantics behaves when we add and remove 
permissions, and when we extend states. 

The following lemma shows the (intuitive) property that we can always discard super- 
fluous permissions to reach a minimal permission extension: 

Lemma 3.9 (Minimisation of Permission Masks). If H,Pi * P2,cr \=tpl ^ then 3P^ c Pg 
such that {H,Pi,a) < P3 \=tpl A. (See page[39]for proof.) 

Definition 3.10 (Weakening-closed and Intuitionistic formulas). We define a formula A to 
be weakening-closed if and only if 

yH,P,a,P'.{Pcp' A H,P,a^TPLA ^ H,P',a^TPLA) 

We define a formula A to be intuitionistic if and only if 

\/H,P,a.{H,P,a^TPLA ^ \f{H' ,P' ,a) e g\oba\Exts{H,P,a). H' ,P',a ^tpl A) 

Lemma 3.11. If A is weakening-closed, (H,P,a) < P' ^tpl A, P' g p" and rds(P') = 
rds{P"), then {H, P, a) < P" ^tpl A (See page [39] for proof.) 

The following technical lemma shows that any necessary permissions in a state are still 
necessary in a state with fewer permissions, provided the assertion we are considering is 
closed under permission extension: 

Lemma 3.12 (Minimal Permission Extensions Closed). If {H,Pi * P2,o') < P3 ^tpl A and 
A is weakening-closed, then 3P4 £ Pg and {H,Pi,a) < P^* P3 \^tpl A. (See page [391 for 

proof.) 

The validity of assertions in this semantics is closed under permission extension. 

Proposition 3.13. All formulas A are weakening-closed. 

Proof sketch: By induction on structure of formula. (Full proof on page\40^ 

In our later results, we sometimes need to be able to define when a minimal permission 
extension in one state corresponds with a minimal permission extension in another. In 
particular, we want to be able to show that, under certain conditions, the notion of what 
is a minimal extension in a current state is robust to interference. An important property 
which helps us here, is to be able to express that the truth of an assertion is stable in all 
extensions of a particular state. That is, even if the assertion does not hold in the current 
state, in all extensions which do satisfy the assertion, its truth will be stable. This can be 
expressed by the following definitions. 
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Definition 3.14. An assertion A is extension framed in a state {H,P,a) if and only if, A 
is stable in all (globally-havoced) extensions, i.e., 

ExtFrm{H,P,a,A) <^^ stable(globalExts(i/,P,o-) n ((A))) 

We also define the set of states in which A is extension framed: 

ExtFrm(^) = {{H,P,a) \ Extfrm{H,P,a,A)} 

An assertion A is disjoint extension framed in the current memory if and only if, in all 
(globally-havoced) disjoint extensions, the truth of A is stable with the permissions held 
originally: 

DisExtFrm(i/,P,o-,A) ^^^ stable-withp (globalDisjExts(i7,P,cj) n ((A))}) 

We also define the set of states in which A is disjoint-extension framed: 

DisExtFrm(^) = {{H,P,a) \ D\sExtfrm{H,P,a,A)} 

Note that we use the globally-havoced notions of state extension (cf. Definition 13. Sp . rather 
than locally-havoced. The reason for this is that, we need this criterion on assertions to 
be preserved under interference, at various points in our proofs. The following lemma 
characterises the essential properties that we require of these definitions. 
Lemma 3.15. 

(1) If {H,P,a) e ExtFrm(^), then: 

(a) if if'e interfere(i/,P), then {H',P,a) e ExtFrm(A). 

(b) [fP'lP and H' e interfere(iJ, P * P') and H,P* P' , a ^tpl A, then 
H',P*P',a^TPt^A. 

(2) If iH,P,a) 6 DisExtFrm(yl), then: 

(a) iiH' 6 interfere(iJ,P), then {H',P,a) e DisExtFrm(^). 

(b) HP' iP and H' e interfere(iJ, P * P') and H, P' , a ^tpl A, then 
H',P',a^TP,A. 

(See page HI] for proof.) 

Note that using localExts(-H',-P,cr), or localDisjExts(if, P, a), rather than globalExts(if,P,cr), 
or globalDisjExts(if, P, cr), invalidates part (l.a), or part (2. a), respectively. 

The following technical lemma provides sufficient conditions for a minimal permission 
extension to be robust to interference in the rest of the heap: 

Lemma 3.16 (Preservation of Minimal Extensions). 

(1) For all {Hi, Pi, a) e ExtFrm(A), 

VP2 1 Pi, Vif2 ^'^^' Hi.{{Hi,Pi,a) < P2 \^rPL A 

^ {H2,Pi,a)<P2^TPLA) 

(2) For ah {Hi, Pi, a) e DisExtFrm(A), 

VP2 ± Pi , ^H2 ^'=^' Hi.{{Hi,0,a)<P2^TPLA 



{H2,0,(t)<P2^tplA) 

i P2 1 Pi and {Hi 

{H2,Pi,(t)<P2^tplA 



(3) If A is self-framing and P2 1 Pi and {Hi, Pi, a) < P2 \^tpl A and H2 ^^ ^Hi, then 



(See page l42] for proof. 
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We will make use of these technical lenimas in the next subsections, in order to char- 
acterise properties of our general semantics. 

3.10. Correspondence with Separation Logic Semantics. In this subsection, we ex- 
amine the correspondence between the semantics which our definition implies for the sepa- 
ration logic fragment of our logic, and the traditional semantics of separation logic. In order 
to precisely characterise the laws which hold of the logic, we require a notion of semantic 
entailment. 

Definition 3.17 (Semantic Entailment, Validity and Equivalence). A TPL assertion A is 
semantically valid (written \^tpl ^) if it holds in all situations; i.e., 

^TPL A ^ \fH, P, a. H, P, a^TPiA 

Given TPL assertions Ai and A2, we say that Ai semantically entails A2 (and write A\ \^TPh 
A'l) if and only if A2 holds whenever A\ does; i.e., 

Ax^tplA2 ^ {{Ai} £ {{A2)) 

Given TPL assertions Ai and A2, we say that Ai is equivalent to A2 (and write Ai =tpl A2) 
if and only if Ai 1= yp^ A2 and A2 1= tpl Ai . 

For pure assertions, our (rather complex) definition of implication can be simplified to 
a simple boolean evaluation of the conditional: 

Lemma 3.18 (Pure Assertions are Boolean Conditionals). If Ai is pure, then: 

H,P,a^rpLAi^A2 <=^ {H,P,a^TPLAi => H,P,a^rpLA2) 

Proof. We first observe that if Ai is pure and {H,P,a) < P' \=tpl Ai, then P' = 0. Simpli- 
fying the semantic definition of -^ using the gives the required semantics. □ 

Note that this property was not true in the semantics of the precursor paper [15], and 
prevents the former work from correctly modelling Chalice's implication. 

The following lemma also shows how our definition of semantics for implication and the 
magic wand can be simplified if we know that the immediate subformulas are self-framing 
assertions (in this case, we do not encounter the technical difficulties which led us to employ 
minimal extensions; cf. Section [3. Gh : 

Lemma 3.19 (Simplified Semantics for Self- Framing Conditionals). 

(1) If Ai and A2 are both self-framing, then: 
(a) H, P, a \^TPL Ai -^ A2 if and only if: 

V(i/',P',(T)elocalExts(F,P,(j). (if',P',fT^yPi^i => H' , P' , a t= tpl A2) 

(h) H,P,a 1= TPL Ai ->• A2 if and only if: 

\/ iH',P', a) eg\oba\ExtsiH,P, a). {H' ,P' ,a ^tpl Ai ^ H' ,P' ,a ^tpl A2) 

(2) If Ai and A2 are both self-framing, then: 
(a) H,P,a 1= TPL Ai -* A2 if and only if: 

V(i?',P',cj)elocalDisjExts(i/,P,a). {H\ P' , a ^ tpl Ai ^ H\P * P' ,a ^tpl A2) 

(h) H,P,a \= TPL Ai -* A2 if and only if: 

V(i/',P',(j)eglobalDisjExts(/i',P,a). {H',P' ,a ^tpl Ai ^ H',P * P' ,a ^tpl A2) 

(See page HU for proof.) 
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This lemma provides two alternative semantics for the implication and wand connectives, 
which are both equivalent to our actual semantics of Definition 13.71 if we restrict the logic 
to self-framing subformulas. In particular, to model the fragment of our logic which corre- 
sponds to separation logic, these alternative semantics are sufficient. The latter alternative 
for each connective (defined in terms of globally-havoced extensions) is the semantics used in 
our precursor paper [15], while the former (using locally-havoced extensions) is convenient 
to simplify several of our proofs. 

Note that the concepts of minimal permission extensions, and locally-havoced exten- 
sions (neither of which were used in our precursor paper) are not motivated by our desire 
to correctly model separation logic semantics in our total heaps model; as the lemma above 
makes explicit, a simpler semantics could have been defined if this was our only goal. How- 
ever, that semantics does not extend to correctly handle the implication in implicit dynamic 
frames, for which we needed the concept of minimal extensions to get the general case cor- 
rect, as is motivated in Subsection 13. 6[ 

We now turn to relating our total heap semantics for separation logic with the standard 
semantics. To do this, we need to relate partial heaps with pairs of total heap and permission 
mask. Given any total heap H and permission mask P we can construct a corresponding 
partial heap HIP. Conversely, any partial heap h can be represented as the restriction of 
a total heap H to the permission mask corresponding to all the permissions in h. This 
representation however, is not unique - there are many such total heaps H we could choose 
such that h - H \P. However, the different choices of H can only differ over the locations 
given no permission in P, and Corollary 13.211 demonstrates that such differences do not 
affect the semantics of assertions. For our correspondence result, it is therefore without loss 
of generality to consider partial heaps constructed by H\P. We can then show that our 
total heap semantics for SL is sound and complete with respect to the standard semantics: 

Theorem 3.20 (Correctness of Total Heap Semantics). For all ^L-assertions a, environ- 
ments a, total heaps H, and permission masks P: 

H,P,a^TPLa <=> {H\P),a\^sLa 

Proof sketch: By induction on the structure of a. (Full proof on page |44|) 



This result demonstrates that our total heap semantics correctly models the standard 
semantics of separation logic assertions. 

Corollary 3.21. All separation logic assertions a (Defn [KT\) are self-framing. 

Corollary 3.22. All separation logic assertions a are intuitionistic. 

3.11. Separation Logic Laws. Because our assertion language is more general than that 
of separation logic, not all properties of the separation logic connectives transfer across to 
the full generality of TPL. For example, in separation logic, the assertions a -* (6 -* c) and 
(a * b) ^ c are (always) equivalent. This is not quite the case in TPL. We can show how 
various laws which hold for separation logic transfer (in some cases partially) to our more 
general setting of TPL. Firstly, we need a technical lemma which shows how to break down 
minimal permission extensions over (separating and logical) conjunctions: 
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Lemma 3.23 (Decomposing Minimal Permission Extensions over Conjunctions). 

(1) If {H, 0, a) P' ^-TPi Ai *A2 then 3Pi, P2 such that P' ^ Pi*P2 and (H, 0, a) < Pi I=tpl 
Ai and {H,0,a) < P2 ^tpl M- 

(2) U{H,P,a)<P' \^ TPL Ai A A2 then 3Pi , P2 such that P' ^ Pi* P2 and {H , P, a) < Pi \^ tpl 
Ai and (i?,P * Pi, a) < P2 ^tpl ^2- 

(See page 145) for proof.) 

Certain technical properties which follow do not hold for general formulas, but only for those 
that do not behave disjunctively. Following, O'Hearn et al. |13j . we call these formulas 
supported. A formula such as acc(x./, 1) v acc{y.f,l) is not supported, while (6 = 1^ 
acc{x.f, 1)) * (6 ^ 1 -i- acc{y.f, 1) is supported. 

Definition 3.24 (Supported Formulas). A formula A is supported iff for all H, a, Pi and 
P2, if H,Pi,a \=TPL A and H,P2,a ^tpl A , then H, Pi n P2, a ^tpl A. 

Supported assertions allow minimal permission extensions to be combined for both * 
and A. 
Lemma 3.25 (Composing Minimal Permission Extensions over Supported Conjunctions). 

(1) If {H,0,a) < Pi \^TPL Al and {H,0,a) < P2 \=tpl A2 and Ai and A2 are supported, 
then {H,0,a) < Pi * P2 I=tpl^i * A2. 

(2) If {H, P, a) < Pi l=TPL Al and (if, P * Pi, a) < P2 ^tpl ^2 and Ai and A2 are supported, 
then (if, P, 0-) < Pi * P2 l=rpL Al A ^2- 

(See page 146) for proof.) 

We can now show which of the usual separation logic laws carry over to our more general 

logic, and under which conditions: 

Proposition 3.26. For all TPL assertions ^i, A2, A^: 

(1) Ai*{Ai^A2)^tplA2 

(2) AiA{Ai^A2)^tplA2 

(3) (a) DisExtFrm(Ai) n ((^i -* {A2 -* A3))) c (((^i * A2) -* A3)) 

(b) if Al and A2 are supported, then: 

DisExtFrm(Ai) n {{{Ai * A2) -* A3)) c {{(Ai -* (A2 -* A3))) 

(c) if both Al * A2 and A3 are self-framing, then: 
DisExtFrm(Ai) n {{Ai * A2) -* A3)) c {{(Ai -* {A2 -* A3))) 

(4) (a) ExtFrm(Ai) n {{Ai ^ {A2 - A3))) c {{{Ai a A2) - A3)) 
(h) if Al and A2 are supported, then: 

ExtFrm(Ai) n {{Ai a A2) - A3)) c {Ai ^ {A2 -> A3))) 
(c) if both Al A A2 and A3 are self-framing, then: 

ExtFrm(Ai) n (((Ai a A2) - A3)) c {Ai ^ (A2 - A3))) 

(5) If Al ^ypi (A2 -* A3) then (Ai * A2) ^tpl A3 

('Sj If Al is self-framing and (Ai * A2) I=tpl A3 then Ai I=tpl (A2 -* A3) 

(See page HT] for proof.) 

To see that the usual separation logic laws do not all hold in general, consider for example the 

def def 

two assertions Al = (x./ = l-*(acc(x./, l)^false)) and A2 = {x.f - I* acc{x.f, I)) ^ false. 
The assertion A2 is equivalent to acc{x.f,J), that is a permissions mask, which cannot be 
extended with disjoint full access to x.f. However, the assertion Ai is also true in models 
where the heap maps x.f to a value other than 1, as the outer wand does not get to change 
the current heap. 
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The usual separation logic laws do however hold for self-framing assertions which (by 
Lemma l3.2ip includes all separation logic assertions. 

Corollary 3.27. For all self-framaing TPL assertions Ai, A2, A-^: 

(1) Ai*{Ai^A2)^tplA2 

(2) AiA{Ai^A2)^tplA2 

(3) Ai -* {A2 -* As) =TPL {Ai * A2) -* A3 

(4) Ai ^ {A2 ^ ^3) =TPL {Ai A A2) ^ A3 

(5) Ai \=TPL {A2 -^ A3) if and only if (Ai * A2) \^tpl A3 

3.12. Existentials and Substitution. Next we consider when it is valid to replace a 
variable with an expression it is equal to; that is, under what condition is Bx.x - E * A 
equivalent to A^Efx^. If the expression does not depend on the heap, then this equivalence 
holds. 

Lemma 3.28. For any separation logic expression e: 

{3x.x - e * A) ^TPL A[e/x] 

Proof. We prove 

H,P,a ^TPL A[e/x] ^ H,P,a[x ^ leJH,a] ^tpl A 

and 

by straightforward inductions on structures of A and E, respectively. □ 

However, if the expression depends on the heap, then the problem is more challenging. 
Consider the example formula 

3v. V - x.f * acc{x.f,Tr) * (acc(x. /,7r) -^ v - 5) 

This formula is semantically equivalent (noting that changes to the heap do not affect the 
interpretation of v) to 

acc{x.f,TT) * x.f - 5 
However, if we apply the standard substitution on the formula, replacing v with the expres- 
sion x.f, then we get 

acc{x.f,7r) * {acc{x.f,TT) -* x.f - 5) 

which is equivalent to false (recall that the semantics for the -* connective considers "adding 
on" new permission for x.f in this case, which includes considering changing its value 
arbitrarily). More abstractly, the difficulty here is that the semantics of -*, and -^ consider 
changes to the current heap; in general this is incompatible with treating heap-dependent 
expressions as purely syntactic entities which can be moved around amongst subformulas 
freely, as we would if we wanted a substitution property for such expressions. In particular, 
the meaning of a heap-dependent expression can differ in different positions in a formula, 
depending on its nesting under -* and -^ connectiveqj. For this reason, if we wanted such 
a property, we would need to restrict the uses of -* and -* to enable the substitution of 



One can compare with the analogous situation in standard separation logic: an SL formula such as 
x.f I-* u * (x.f >-^ V ^ u = v) is not actually valid in traditional intuitionistic separation logic semantics 
for the same reasons; the semantics of the implication connective includes the concept of "adding on" new 
access to x.f when evaluating the implication. 
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expressions with heap dependencies. To illustrate this, we define a class of formulas, that 
are substitutable. These are the formulas that only contain pure formulas on the left of -^ 
and ^. 

Definition 3.29 (Substitutable formulas). We define a formula as substitutable, subst(^), 
by 

subst(^i —o A2) ^s=^' subst(^i) A subst(^2) and Ai is pure 

(where -<• e {^,^}) 

subst(j4i o A2) <=> subst(j4i) A subst(^2) (where o e {v, a, *}) 

subst(3x. yl) -^^ subst(^) 

subst(acc(£;./,7r)) ^^^ subst{E ^ E') ^^ subst{E.f >^ E') ^^ always 

As substitutable formulas only have pure formulas on the left of -* and -^, there is a single 
heap that is used to evaluate the entire formula. 

Lemma 3.30. If subst{A), then 

{3x.x = E*A)=TPL A[E/x] 

Proof. We prove 

H, P, a ^rPL A[E/x] ^ H, P, a[x ^ lE}H,a] ^tpl A 

by straightforward induction on the subst(A) predicate. The -* and -^ cases use that for 
pure formulas they behave like boolean conditionals (Lemma l3.18p . We reuse the expression 
substitutability proof from previous lemma. □ 

In Section [5l we will present an encoding from the SL fragment to the IDF fragment 
of our logic, which preserves semantics. A natural question to ask is, can we encode back 
from IDF to SL, at least for those IDF assertions which are self- framing? In general, it is 
surprisingly difficult to define a suitable syntactic translation. A tempting approach is to 
convert all acc{x.f,7r) assertions into x.f 1-^ v for some fresh logical variable v, and then 
to replace any heap-dependent expressions x.f with v elsewhere in the assertion. But this 
approach fails in two ways: firstly, it does not deal correctly with aliasing. The criteria for 
an IDF to be self-framing take account of constraints imposed by the assertion itself; for 
example, acc{x.f) * x - y * y.f - A \s self- framing. This makes a syntactic replacement of 
heap-dependent expressions challenging. Furthermore, the correctness of the replacement 
of all heap-dependent expressions with logical variables, depends on a substitution property 
holding for such expressions. As discussed above, this does not hold for the general logic; the 
meaning of a heap-dependent expression is actually fixed by the "closest scoped" occurrence 
of a permission to that location, with respect to implications and wands; in the presence of 
aliasing this is hard to determine. 

For the subsyntaxes of these logics typically supported by tools, which generally only 
allow for pure assertions on the left of ->• formulas (and do not support -* in general), we do 
get a substitution property, as shown above. However, the problem of correctly handling 
aliasing between heap locations when translating heap-dependent expressions, still seems 
to make defining a correct syntactic translation challenging. 
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4. Verification Conditions 

In this section, we precisely connect the semantics of our assertion language with Chalice. 
Chalice does not provide a direct model for its assertion language. It instead defines the 
semantics of assertions using the weakest pre-condition semantics of the commands inhale 
and exhale. We show that this semantics precisely corresponds with the semantics in TPL. 

4.1. Chalice. Chalice is defined by a translation into Boogie2 [9], which generates veri- 
fication conditions on a many-sorted classical logic with first-order quantification. It has 
sorts for mathematical maps, which are used by Chalice to encode both the heap and the 
permission mask. We use (p to range over formulas in this logic, and a \^po 4> to mean <j) 
holds in the standard semantics of first-order logic given the interpretation of free variables 
a. Similarly, 1=^0 'P means that (j) holds in all such interpretations. 

The definitions throughout this section generate expressions that have these two specific 
free variables: T-L for the current heap, and V for the current permission mask. Thus, 
Ti\x, /] = 5 means that in the current heap the variable x's field named / contains the value 
5. In the assertion logic, this corresponds to x.f - 5, in which the heap access is implicit. 

To define the verification conditions for Chalice, we need to be able to translate ex- 
pressions into the underlying logic using access to the map %. We can provide a syntactic 
translation from the Chalice assertion logic into the first-order logic. 

Definition 4.1. We translate expressions that implicitly access the heap into expressions 
that explicitly access the heap as follows: 

M - ^ Inulll = null lE.f^ = ^[^i^JJ, /] 

we translate boolean expressions as: 

IB, * S2I - iBi^ A IB2I IE . E'^ = lE^ = lE'^ IE t E'^ = lE^ t lE'^ 



First, we must show some basic facts about the properties of Chalice assertions (cf. Defini- 
tion l2.4p : every Chalice boolean expression is pure, and every Chalice assertion is supported. 



Lemma 4.2. Every Chalice boolean expression B is pure. 

Proof. By trivial induction on B. □ 

Lemma 4.3. Every Chalice formula p is supported. 

Proof. We must show 

H,P,a\^TPLP A H,P',a\^TPLP ^ H,P n P' ,a \^tplP 
We proceed by induction on p 

p = B: As B is pure, we know that if it is satisfied in a state, it will also be satisfied with 

any alternative permission mask. 
p s acc{E.f,Tr): P and P' must map the field location to vr or greater, therefore Pr\P' will 

also map the field location to vr or greater. 
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p = pi *p2 : Assume H,P,a\= tpl Pi *P2 , and H,P' ,a \= tpl Pi *P2 ■ Therefore there exist Pi , i-*2 , 
P[ and P2 such that Pi*P2^ P and P/ * P2 = P' and H,Pi,a \= tpl Pi and H,P2,a \^ tpl P2 
and H, P^, a \^tpl Pi and H, P2, a \^tpl P2- By induction, we know ff, PinP^ a \^tpl P\ and 
iJ, P2 n Pq,-, ^ ^TPL P2-, and thus we can deduce that H, (Pi n P[) * (P2 n P2'), o" ^tpl Pi*P2- 
We can show (Pi n P() * (P2 n P^) c (p^ x- P2) n (P{ * P^), which by Proposition KT3\ 
proves the obhgation. 

p = B ->■ p': Case spht on H,0,a \^tpl B. If B is true, then using Lemma 13.181 the result 
fohows directly by induction. If B is false, then using Lemma 13.181 we have H,0,a t^TPL 
B ^ p as required. □ 

Chalice does not allow arbitrary formulas to be used as argument to inhale and exhale: 
it restricts the formulas to be self-framing. Chalice does not use the semantic check from 
earlier, but instead uses a more-syntactic formulation that checks self-framing from left-to- 
right. Note that this means that syntactic self- framing is not symmetric with respect to 
*. For instance, acc{x.f,TT) * x.f = 5 is syntactically self-framing, but x.f - 5 * acc(a;./, vr) 
is not. Somewhat surprisingly this is required by the way the verification conditions are 
generated. In Chalice the check is actually implemented by a Boogie program. Here, we 
use the logic to define an equivalent conditiorLl. 

Definition 4.4 (Syntactic Self- Framing) . We define a condition sframed(-E') to express that 
all the fields mentioned in E are accessible. 

sframed(i?./) <=> sframed(i?) a acc{E.f, _) 

sframed(x) <=^^ True 
sframed(null) <=^^ True 

We lift this to boolean expressions as 

sframed(£; = E') ^^ sframed(S) a sframed(£;') 
sframed(£' ^ E') <^^ sframed(£;) a sframed(E") 
sframed(Pi * P2) -^^^ sframed(Pi) a (Pi -^ sframed(P2)) 
We lift this to formulas as 

sframed(P -^ p) <=> sframed(P) a (P ^ sframed(p)) 
sframed(acc(P./, vr)) <=> sframed(P) 

sframed(pi *P2) <==> sframed(pi) a {pi -* sframed(p2)) 

Note that when we check that p2 is framed in pi * P2, we can use the assertion pi; these 
checks do not treat * as commutative. 

A formula, p, is syntactically self- framing, if and only if I^tpl sframed(p). 

We prove some basic facts about sframed(P) and sframed(P): (1) in any state in which 
sframed(P) holds, changing the value at any locations without permissions does not affect 
P's evaluation; (2) sframed(P) is (semantically) self-framing; (3) in any state in which 
sframed(P) holds, changing the value at any locations without permissions does not affect 
P's evaluation. 



The end result of this section can be used to prove it is equivalent to verifying the Boogie program that 
Chalice would generate. 
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wpchiexhale(B) , (/)) = ^«pch(assert |[BJJ,(/') 
w;pch(exhale(pi *P2),4>) = 'wpch(exhale(pi); exhale(p2),'/') 

wpch(exhale(acc(£'./,7r) ),(/)) 

^wp,^ie.ssertiV[lElf])>7r;V[lElf]:^V[\lElf]-7r,<p) 

wpch(exhale(S -^ p),(f>) - i«Pch((a-Ssume([[i?JJ); exhale(p)) + assume (-.[[SJJ ),</>) 

it;pch(iiitLale(S),(/)) = ■u;pch(a-ssume [[SJJ,(/)) 

w;pch(inhale(pi *P2),4>) = 'wpch(inhale(pi); inhale(p2),(A) 

u; j5ch( inhale( acc(ii^./, vr) ), 0) 

= wp,i,ia.ssn:aeiV[lElf]^0);V[lE]\,f]:^7r;havocin[lElf]),4>) 
A u;pch(assume(0 < P[l^i /] < 1 - ^); P[1SJJ, /]+=^, 0) 

it;pch(iiitiale(S -i^ p),(l)) - ii;pch((a-ssume([[i?jj); inhale(p)) + assume(-.||i?JJ), 0) 

where 
w^Pch(P[o,/] := x,(l)) = </.[nM7',(o,/),x)/P] 
i(;pch(liavoc('H[x, /]),</>) = <j)[upd{'H, {x, f),z)/7i] fresh z 
i(;pch( assume (/>', (j)) = (p' ^ (j) 
wpchCassert </>', (j)) - cp' a (p 
wpch{Ci;C2,(p) = WPch{Cl,WPch{C2, (j))) 
WPchiCi + C2, (/)) = WPch{Ci,(l)) A WPch(C2, (/)) 

where upd{a, b, c)[b] - c and upd{a, b, c)[d] - a[d] provided d i^ b. 
Figure 1: Abridged weakest pre-condition semantics for Chahce |10j 

Lemma 4.5. 

(1) If H,P,a^rpL sframed(S), and H' = H then [^1^,^ = IEJh',^- 

(2) sframed(£') is self-framing 

(3) If H, P, a ^TPL sframed(S), and H' = H then H, P, (t^tplB if and only if H' , P, a ^tpl 
B. 

(4) sframed(i?) is self-framing. 

(See page ED for proof.) 

The key property we require of the sframed(p) definition is that it allows a wand (-*) of a 
separating conjunction, to be considered as a sequence of wands. 
Lemma 4.6. 

(1) sframed(pi) a((pi * P2) -^ p) ^tplPi^ {P2^p) 

(2) sframed(pi) a (pi ^ {p2 ^ p)) ^tpl {pi * P2) -* P 

Proof sketch: This proof follows from Proposition l3.26T3l a and l3.26"T3l b. Lemma 14.31 and 
showing 

Vp. ((sframed(p))) c DisExtFrm(p) 

This is proved by induction on p. (Full proof on page [52]) 

We can now provide the definitions of the weakest pre-conditions of the commands 
inhale and exhale. In Figure [H we present the weakest pre-conditions of commands in 
Chalice from [10]. We write wpchCC*, (/>) for the weakest pre-condition of the command 
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C given the post-condition tj). Chalice models the inhaling and exhaling of permissions 
by mutating the permission mask variable. To exhale an equality (or any formula not 
mentioning the permission mask) we simply assert that it must be true. This does not need 
to modify the permission mask. To exhale p * q, first we exhale p and then q. When an 
accessibility predicate is exhaled, first we check that the permission mask contains sufficient 
permission, and then we remove the permission from the mask. 

To inhale an equality is simply the same as assuming it. To inhale p* q, we first inhale 
p and then q. There are two cases for inhaling a permission: (1) we don't currently have 
any permission to that location; and (2) we do currently have permission to that location. 
The first case proceeds by adding the permission, and then havocing the contents of that 
location; that is, making sure any previous value of the variable has been forgotten. The 
second case simply adds the permission to the permission mask. 

4.2. Relationship. In the rest of this section, we show that the verification conditions 
(VCs) generated by Chalice are equivalent to those generated by TPL. We focus on the 
inhale and exhale commands, as these represent the semantics of the Chalice assertion 
language. By showing the equivalence, we show that our model of TPL is also a model for 
Chalice. 

We write ■wpsi{C,A), to be the weakest pre-condition in TPL of the formula A with 
respect to the command C. We treat inhale and exhale as the multiplicative versions of 
assume and assert (see §2.1.ip . and thus have the following weakest pre-conditions: 

wps\{exha.le{Ai),A2) = Ai * A2 wpsi{±iiha.le{Ai) , A2) = Ai -* A2 

Our core result is to show that both inhale and exhale have equivalent VCs in the two 
approaches. 

First we must extend the first order logic we are considering to additionally contain a 
proposition to represent separation logic assertions. 

Definition 4.7 (interp(^)). We extend the many sorted first order logic with an additional 
atomic proposition interp(^), which represents the interpretation of an arbitrary TPL for- 
mula in first order logic. 

a,'H^H,V^P\=Po\nterp{A) ^^ H,P,a\=TPLA 

Note, this definition is not required by Chalice, but it allows us to express our proof 
by induction on the structure of the formula, by providing a single logic in which we can 
describe both the Chalice VCs and the TPL judgements. 

Definition 4.8 {equiv(C)). We define the VCs of a command as equivalent in both systems, 
equiv{C), iff for every TPL assertion A, we have 

\=po\nterp{wpsi{C,A)) <^^ wpch{C,\nterp{A)) 

The key to showing that our semantics for TPL correctly refiects that of Chalice is to 
show that the VCs generated for the inhale and exhale commands are equivalent. The 
exhale is straightforward. 

Lemma 4.9. Vp. equiv{exhalep) 

Proof. By induction on p. □ 
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The proof for inhale is more involved. This depends on the inhaled formula being 
syntactically self-framing. We define two Boogie commands, assertTPL(^) to assert 

that a TPL assertion must hold at this point in the execution, and assertFrm(p) to assert 
that a Chalice formula will be framed if it is inhaled in the current state. 

Definition 4.10. 

• assert TPL(A) = assert(interp(A)) 

• assertFrm(p) = assert TPL(sframed(p)) 

We lift the ability to curry and uncurry -^ into the VC world. This is required to allow 
us to prove that an inhale of a * can be replaced by two inhales, as Chalice does. 

Lemma 4.11. 

wpch{assertFrm{pi), interp(pi-*(p2^^))) <=> ^«Pch('lssertFr/)7(pl), interp((pi*p2)^^)) 
Proof. The left to right direction follows using Lemma l4.6t 

t(;pch(assertFrm(pi), interp(pi -^ (p2 ^ ^))) 

=^ tt;pch(assertFrni(pi), interp(sframed(pi)) a interp(pi -* {p2 -* A))) 
=> i(;;^ch(assertFrin(pi), interp(sframed(pi) a (pi -* (p2 -* A)))) 
=> u;;)ch(assertFrm(pi), interp(sframed(^i) a ((pi * P2) -^ A))) 

The reverse direction follows similarly. □ 

We want to show that if p is syntactically self-framing, then inhale p is equivalent 
in both approaches. However, we need to prove a stronger fact that accounts for the 
permissions we may have inhaled so far. In particular, as inhale pi * p2 is implemented 
by first inhaling pi and then p2, when we consider inhaling p2 it need not be self- framing. 
However, the context will have inhaled sufficient permissions that it is framed in that 
context. We prove that the VCs are equivalent in a context in which the inhale is framed. 

We consider states in which, if we extend the environment to satisfy p, then p will be 
framed. In these states, asserting the formula p ^ A and then inhaling p, is equivalent to 
inhaling p, and then asserting that A must hold. 

Lemma 4.12. 

i(;pch(^'S'SertFr/77(p); assertTPL{p-^ A)] inhale p,4>) 

<=> wpciXo'SsertFrrfi^p); inhale p; assertTPL(A) , (p) 

Proof. We abbreviate assertFrm(p) to assFrm(p), and assertTPL(A) to assTPL(74). 
By induction on p. We first consider the * case: 

t(;pch(assFrm(pi *p2);assTPL((pi * P2) ^ A); Inhale pi *P2,4>) 
<=> wpch(assFrni(pi *p2); assFrm(pi);assTPL((pi * P2) ^ A); Inhale pi *P2,4') 
<=^> wpch(assFrm(pi * P2)', assFrm(j>i);assTPL(pi -* p2 ^ A); inhale pi; inhale P2,4') 
<=^> wpch(assFrni(pi); assTPL(pi ^ sf ram ed(p2)); inhale pi;assTPL(p2 ^ A); inhale P2,4') 
<=^> wpch(=LSsFriii(pi); inhale pi;assFrm(p2); =LSsTPL(p2 ^j4); inhale P2,4>) 
<=> u;pch(assFrm(pi); inhale pi;assFrm(p2); inhale P2; assTPL(A) , (p) 
<=^> u;pch(assFrm(pi); assTPL(pi -* sframed(p2)); inhale pi; inhale P2; ass'T'PL(A) , (p) 
-;=^^ u;pch(^ssFrni(pi *p2); inhale pi * P2; ass'TPL(A) , (p) 

For the access permission case, we can subdivide this into three further cases, (1) where 
the model contains no permission for E.f; (2) where the model contains more than 0, and 
less than or equal to 1 - vr permission E.f; and (3) where the model contains more that 



THE RELATIONSHIP BETWEEN SEPARATION LOGIC AND IMPLICIT DYNAMIC FRAMES 31 



1 -vr permission for E.f. The third case is trivial, so we just present the first two. First we 
consider the case ?'[[[£' JJ./] - : 

■wpchi3.ssTPL(acc(E.f,TT) ^ A); inhale acc{E . f , tt) , (p) 
^^wpcU^ssTPL{acc{E.f,7r)^Ay,V[lElf]^7r;ha.vocn[lElf],cP) 
<==> i(;pch( inhale acc{E.f,Tr); assTPL(74),i;^) 

Second, we consider the case: < ^[Ilii^JJ./] < 1 - vr, 

i(;pch(3-SsTPL(acc(ii^./, vr) ^j4); inhale acc{E . f , tt) , (p) 
^^wpci,{a.ss1VL{acc{E.f,TT)^A);V[lElf]+^TT,(j)) 
<=^> u;pch( inhale acc{E.f,TT); assTPL^A) , (p) 

Finally, we present the implication case. We split this into two cases depending on 
whether the left of the implication holds. First we assume [[i?JJ holds in the current model: 

u'Pch(3-SsFrm(i? -> p); assTPL((i? ^ p) -* A); inhale(i? -> p),(j)) 

<^ it;pch(assFrni(i? -^ p);assTPL(p -* A); inhale p,(j)) 

<t* wPch(=LSsFrm(i? -> p);assTPL(i? ->■ sframed(p)); assTPL(p-* A); inhale p,(p) 

-t* wpch(assFrni(i? -> p);assFrm(p); assTPL(p-* A); inhale(p),<^) 

■^^ wPch(=LSsFrni(i? -^ p);assFrm(p); inhale(p); assTPL(^),0) 

o u;pch(=LSsFrm(i? -> p); inhale(p); assTPL(^),(/>) 

■^^ wpch(=LSsFrm(i? -^ p); inhale(i? -^ p);a.ssTPL(A),(j)) 

and secondly, we assume [[i?JJ does not hold in the model: 

u;pch(assFrm(i? ^p);assTPL((i? -^ p) -* A); inhale(i3 -^ p),(p) 

'^ wpch(assFrm(i? ^ p);assTPL(true ^ ^4); inhale(true),0) 

'^ wpch{3i3sFrm{B ^ p);assTPL(true -* A),(l)) 

<=> w;pch(=^ssFrm(i3 -^ p);assTPL(A),(j)) 

<=> tt;pch(=^ssFrm(i3 -^ p); inhale(i3 -^ p);assTPL(A),(j)) □ 

Corollary 4.13. If p is syntactically self-framing, then equiv{inhalep). 

Proof. By the previous lemma, we know: 

t(;pch(stssFriii(p); assTPL(p^ ^4); inhale p, true) 

<=^> it;pch(assFrm(p); inhale p;assTPL(^),true) 

As itipch(inhale p,true) = true and ti;pch(assTPL(yl),true) = interp(^), we know 

ii;pch(assFrm(p), interp(p -^ A)) <=> wpch(assFrm(p); inhale p, interp(A)) 

As p is syntactically self-framing we have 

interp(p^A) <=^> u;pch(inhale p, interp(^)) 

By the definition of separation logic weakest pre-conditions, we have 

interp('u;psi(inhale p, A)) <=^> i(;pch(inhale p, interp(y4)) 

as required. D 
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Remark 4.14. Without the syntactic self- framing requirement on inhales, it would be 
unsound to break inhale Ai * Ai into inhale A\\ inhale Ai- In particular, in the Chalice 
semantics, the behaviour of inhale(Ai *A2) and inhale(j42*j4i) are different. For instance, 
consider inhale(x./ = 3 * acc(x.f)) and inhale( acc(x./) * x.f - 3). 

t(;pch(inhale(x./ = 3 * acc{x.f)), [[x./ = 3_U) <=^ x.f * 3 
t(;pch(iiihale(acc(3;./) * x./ = 3), [J_a;./ = 3JJ) <=^> true 

The translation given by Smans et al. jl8] does not suffer this problem as it does the 
analogue of inhale in a single step. However, it checks self-framing in a similar way, and 
thus would also rule out the first inhale. 



5. Mapping Separation Logic into Implicit Dynamic Frames 

We are now in a position to draw together our various results, and show that SL-based 
verification can be simulated using IDF and Chalice. The overall approach is to show that, 
if one calculates weakest pre-conditions for a program using SL specifications, then there is 
a corresponding translated program in which one uses IDF specifications, and can calculate 
Chalice weakest pre-conditions which turn out to be equivalent to the SL ones. Just as in 
Section [3l we can use the projection of a total heap down to a permissions mask, to relate 
the evaluation of the two resulting assertions. 

Just as in the preceding section, we focus our attention on inhale and exhale statements, 
since all commands which deal with changes to the footprint/permissions held in the state 
(e.g., method calls, fork/join of threads, acquire/release of locks) can be de-sugared down 
to these (other commands such as variable assignment can be treated uniformly in both 
worlds). Therefore, we aim to prove that the two different ways of calculating weakest 
pre-conditions produce equivalent results for both inhale and exhale statements. 

Firstly, we state a few simple results which distribute equivalent assertions over various 
constructions. 

Lemma 5.1 (Distributing Equivalences). For all TPL assertions Ai and A2 such that 
Al =TPL^2, we. have: 

(1) For all TPL assertions A^: wps\{'inhale{Ai) , A^,) ^tpl wpsi{inhale(A2),A3) and sim- 
ilarly ■wpsi{exhale(Ai),As) =TPL'wpsi{exhale(A2),A3). 

(2) The first- order assertions interp(^i) and interp(^2) o.'re equivalent. 

(3) For all TPL assertions A3, the first- order assertions wpchiiiT^hale^A^) ,'\nterp(Ai)) and 
wpchi'!''n'hale(A3),'\nterp(A2)) are equivalent (and analogously for exhal e(A-i) ) . 

(4) For all TPL assertions A3, the first-order assertion '\nterp(wps\{inhale(Ai),A-s)) is 
equivalent to \interp(wpsi(inhale{A2),A3)). Similarly '\nterp(wps\{exhale(Ai),A3)) is 
equivalent to '\nterp(wps\(exhale(A2) , A3)) . 

Proof. The first three parts follow straightforwardly from the corresponding definitions (and 
the fact that the definitions for weakest pre-conditions never inspect the post-condition). 
The fourth part is simply a combination of the first two. □ 
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We now need to identify the fragment of separation logic which can be encoded into the 
syntax of Chahce (cf. Definition I2.4p . This syntax roughly corresponds with the syntaxes 
supported by most separation-logic-based tools (in particular, no points-to predicates are 
permitted on the left of implications; a very common restriction which avoids needing to 
implement the full technical complexity of the connective; cf. Lemma l3.18p . In order to 
avoid introducing further meta-variables to our notation, we will reuse the notation for full 
separation logic (a for assertions, e for expressions), but will clarify explicitly when we mean 
the restricted assertion syntax defined here. 

Definition 5.2 (Restricted Separation Logic). Expressions e, boolean expressions b and 
restricted separation logic assertions a are given by the following syntax definitions: 

e ::= a; I null | n 

b "- e - e\ e i^ e\b * b 

a "- b\ e.f >^ e\ a* a\b -^ a\ 3v. e.f ^ v * a 

We allow a restricted form of existential in the syntax. It requires that the existential 
is witnessed by a particular field in the heap. This restriction is often implicit in tools 
for separation logic that support existentials. Without this restriction tools are typically 
incomplete. 

We can represent the separation logic points-to predicate in terms of the Chalice acces- 
sibility predicate and a (heap-dependent) equality. 

Proposition 5.3. For all e,f,e',ir we have e.f t^ e! ^tpl acc{e.f,7r) * e.f - e' . 

Proof. Directly from the semantics. □ 

Thus, we define the obvious translation from restricted separation logic assertions to 
those of Chalice: 

Definition 5.4 (Mapping Restricted Separation Logic to Chalice). We define a mapping 
[a] from restricted separation logic assertions to Chalice assertions (cf. Definition 12. 4p . 
recursively as follows: 

Jb] ^ b 

[ei.f^e2] = (acc(ei./,7r) * 61.7 = 62) 
[01*02] = [ai]*[a2] 
[& -!► a] - b ^ [a] 

[3v. e.f >-^ V * a] - acc{e. f ,7r) * [a][e.f/v] 

As the existential is witnessed by a particular heap location, in the translation to Chal- 
ice the existential can be eliminated by substituting the heap dependent expression. The 
translation preserves the semantics of the original assertion, which is a simple generalisation 
of Proposition 15.31 

Lemma 5.5 (Mapping to Chalice Preserves Semantics). For all restricted separation logic 
assertions a, we have a ^tpl [a]- 

Proof. By straightforward induction on the structure of o, using Definition 13.71 and Propo- 
sition [5?3l The existential case uses Lemma 13.301 □ 
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We can now combine the results of this section to relate the two different notions of 
weakest pre-conditions in combination with the appropriate translation from one assertion 
syntax to the other. 

Theorem 5.6 (Weakest Pre-condition Calculations Equivalent). For any restricted SL 
assertion a, and any TPL assertion A, we have: 

\^po\nt&rp{wps\{inhale{a)^A)) <=> i(;pch(^'^'i^^e([a]), interp(^)) 

and 
\^po\ntevp{wp^\{exhale{a),A)) <=> wpch{^^hale([a]),\nterp(A)) 

Proof. Consider the first case of the result (for inhale statements). By Lemma [STDQ and 
Lemmal5.5[ we have that: 



l=TO interp(u'Psi(inliale(a),^)) <=^ interp(t(;psi(iiihale([a]),^)) 

By Corollary 14. 131 (noting that [a] is a syntactically self- framing Chalice assertion), we also 
know that: 

\= po \nterp{wps\{inha.le{[a]) , A)) <^^ it;pch(inhale([a]), interp(A)) 

Combining these two lines, we have the claimed result. 

The case for exhale statements is analogous, using Lemma 14.91 instead of Corollary 

ma n 

Finally, we can draw together these results with the main result of Section [3l to show 
the equivalence of the two overall approaches. 

Corollary 5.7 (Verifying Restricted Separation Logic in Chalice). For any restricted SL 
assertion a, and any (unrestricted) SL assertion a' , and any environment a, total heap H , 
and permission mask P, we have both: 

(HIP), a \=SL wpsi{exhale{a),a') 

a^T-L^ H^V ^-^ P \^Fo 'wpch(e2;^ale([a]),interp([a'])) 

and: 

{H\P),a \=SL wpsi{inhale{a),a') 
<=> 
ajTi >-* H,V 1^ P \=Fo wpchi'i'i^hale{[a]),\nterp{[a'])) 

Proof. By Theorem 15.61 and Definition 14.71 we have: 

H,P,a \=TPL wpsi(exhale(a),a') <^ a^T-L^ H^V ^ P \=fo tL'j'ch(exhale([a]), interp(a')) 

and 
H,P,a \^TPL wpsl(inhale(a),a') <^ a^Ti^ H,V ^ P I=fo tL'Pch(inhale([a]), interp(a')) 

By Lemmas 15.51 and I5.1l |2|). we have that the two assertions interp(a') and interp([o']) 
are equivalent. Therefore, by Lemma |5.1I |3|) and Theorem 13.201 we obtain the two desired 
equivalences. D 
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In this section, we have shown that the encoding of inhale and exhale into Boogie2 
is equivalent to the separation logic weakest pre-condition semantics. As a consequence, 
we have shown two things: (1) our model accurately reflects the semantics of Chalice's 
assertion language, and (2) a fragment of separation logic can be directly encoded into 
Chalice precisely preserving its semantics. 

6. Related Work 

In this paper, we have provided a logic related to separation logic [H [12], which allows 
arbitrary expressions over the heap. We have modified the standard presentation of an 
object-oriented heap for separation logic |14j to separate the notion of access from value 
(and thereby also relate to implicit dynamic frames J17j). Most previous separation log- 
ics have combined these two concepts. One notable exception is the separation logic for 
reasoning about Cminor [T]. This logic also separates the ability to access memory, the 
mask, from the actual contents of the heap. The choice in this work was to enable a reuse 
of a existing operational semantics for Cminor, rather than producing a new operational 
semantics involving partial states. In the Cminor separation logic, they do not consider 
the definition of magic wand, or weakest pre-condition semantics, which is crucial for the 
connection with Chalice |10] . Benton and Leperchey [3] also provide a logic for sequential 
program reasoning that uses total heaps and maps defining which locations can be accessed. 

Smans' original presentation of IDF was implemented in a tool, VeriCool [18|ll7j. The 
results in this paper should also apply to the verification conditions generated by VeriCool. 
In recent work, Smans et al. [19] describe an IDF approach as a separation logic. However, 
they do not present a model of the assertions, just the VCs of their analogues to inhale 
and exhale. Hence, the work does not provide the strong connection between the VCs and 
the model of separation logic that we have provided. Vericool does however have a sound 
implementation of abstract predicates and pure functions (in fact, two different approaches; 
one for verification condition generation, as in |18j . and one for symbolic execution, as in 
[19|). However, the approach for verification condition generation requires the formalisa- 
tion of weakest pre-conditions in the presence of background axioms (used to define the 
meanings of predicates and pure methods) . The use of these axioms cannot be summarised 
simply as part of a weakest pre-condition calculation, since the approach taken allows the 
prover to instantiate these axioms in an unbounded (and potentially non-terminating) way. 
Similarly, a comparison with a symbolic-execution-based approach would require more tech- 
nical machinery than our current arguments based on first-order verification conditions. A 
comparison based on a runtime semantics for a language (as used to formalise soundness in 
[18j ) might work better than one dealing with a verification semantics, but this is beyond 
the scope of our work. 

There have been many other approaches based on dynamic frames |7l [8] to enable 
automated verification with standard verification tool chains; for instance, Dafny |16j and 
Region Logic [2 . Like Chalice, both also encode into Boogie2. The connection between 
these logics and separation logic is less clear. They explicitly talk about the footprint of an 
assertion, rather than implicitly. However, our new separation logic might facilitate future 
comparisons. 
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7. Extensions and Applications 

In this section we highlight the potential impact of our connection between separation logic 
and the implicit dynamic frames of Chalice, by explaining several ways in which ideas from 
one world can be transferred to the other. 

Supporting Extra Connectives. Our TPL logic supports many more connectives than have 
previously existed in implicit dynamic frames logics. For example, the support for a "magic 
wand" in the logic (or indeed an unrestricted logical implication) is a novel contribution, 
which paves the way for investigating how to extend Chalice to support this much-richer 
assertion language. While a formal semantics for the magic wand does not immediately tell 
us how to implement inhaling and exhaling such assertions correctly, it provides us with a 
means of formally evaluating such a proposal. Furthermore, our direct semantics for the 
assertion logic of Chalice provides a means of judging whether a particular implementation 
is faithful to the intended logical semantics. 

In addition, while the notions of minimal permission extensions and locally-havoced 
heap extensions are technically complex, it seems that the resulting semantics for the magic 
wand may actually simplify the problem of defining a suitable weakest-precondition seman- 
tics. This is because, whereas the classical semantics of the separation logic magic wand 
involves a quantification over states (which is problematic for encoding to a first-order 
prover), the semantics we present in this paper can, in the (common) case of supported 
assertions, eliminate the need for the quantifier altogether; we need only check the unique, 
minimal extension of the initial state to make the left-hand side true, if such an extension 
exists. Exploring the practical consequences of these observations will be interesting future 
work. 

Evaluating the Chalice Implementation. Various design decisions in the Chalice methodol- 
ogy can be evaluated using our formal semantics. For example. Chalice deals with potential 
interference from other threads by "havocing" heap locations whenever permission to the 
location is newly granted. An alternative design would be to "havoc" such locations when- 
ever all permission to them was given up in an exhale, instead. This would provide different 
weakest pre-conditions for Chalice commands, and it would be interesting to investigate 
what differences this design decision makes from a theoretical perspective. Our results 
provide the necessary basis for such investigations. 

Separation logics typically feature recursive (abstract) predicates in their assertion lan- 
guage. The Chalice tool also includes an experimental implementation of recursive predi- 
cates (without arguments), along with the use of "functions" in specifications to describe 
properties of the state in a way which could support information hiding. In the course 
of investigating how to extend our results to handle predicates in the assertion logics, we 
discovered that the current approach to handling predicates/functions in Chalice is actually 
unsound in the presence of functions and the decision to havoc on inhales rather than ex- 
hales. We, along with other Chalice contributors, are now working on a redesign of Chalice 
predicates based on our findings. As above, the formal semantics and connections we have 
provided give us excellent tools for evaluating such a redesign. 
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Implementing Separation Logic. One exciting outcome of the results we have presented 
is that a certain fragment of separation logic specifications can be directly represented 
in implicit dynamic frames and automatically verified using the Chalice tool. This is a 
consequence of three results: 

(1) We have shown that our total heap semantics for separation logic coincides with its 
prior partial heaps semantics. 

(2) We have shown that we can replace all "points-to" predicates with logical primitives 
from implicit dynamic frames, preserving semantics. 

(3) We have shown that the Chalice weakest-pre-condition calculation agrees with the weak- 
est pre-conditions used in separation logic verification. 

The critical aspect which is missing is the treatment of predicates - once we can extend 
our correspondence results to handle recursively-defined predicates in the logics (which 
are used in virtually all separation logic verification examples), then it will be possible to 
exploit our work to use Chalice to implement separation logic verification. This will open 
up many interesting practical areas of work, in comparing the performance and encodings 
of verification problems between Chalice and separation logic based tools. 

Old Expressions. We have also observed that the use of a total heap semantics seems to 
make it easy to support certain extra specification features in a separation logic assertion 
language. In particular, the use of "old" expressions in method contracts (allowing post- 
conditions to explicitly mention values of heap locations in the pre-state of the method call) 
is awkward to support in a partial heaps semantics, since it expresses relationships between 
partial heap fragments which may not have obviously-related domains. As a consequence, 
separation logic based tools typically do not support this feature, and typically use logical 
variables to connect old and new values of heap locations. However, with our total heap 
semantics it seems rather easy to evaluate old expressions by simply replacing our total 
heap with a copy of the pre-heap. Consider the following two specifications, where the left 
one uses old expressions and the right one a logical variable v. 

requires acc{x.f) requires acc{x.f) * x.f - v 

ensures acc{x.f) * x.f - old{x.f) + 1 ensures acc{x.f) * x.f -v + l 

To use the logical variable specification, we must find a witness for the logical variable 
V, while with old expressions this witness is not required as it simply places a constraint 
on the possible old and new heaps. This is because the assertions describing the value 
relationship in the old expression specification only appears in the post-condition, which, 
from the caller's perspective, ends up as an assume. On the other hand, in the logical 
variable alternative, the variable appears both in the pre- and post-conditions, hence it 
also ends up used in an assert (when the caller exhales the pre-condition). Moving to old 
expressions may have benefits for building tool support for separation logic. 

Acknowledgements. We thank Mike Dodds, David Naumann, loannis Kassios, Peter 
Miiller, Sophia Drossopoulou and the anonymous ESOP and LMCS reviewers for feedback 
on this work. 
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Appendix A. Proofs 
Lemma 13.91 (Minimisation of Permission Masks). If H,Pi * P2,a \^tpl A then 3P3 £ P2 
such that (H, Pi, o") < P3 I^tpl A. 

Proof. By complete (strong) induction on rds{P2) using subset ordering. 
Case split on whether the following formula holds: 

3P4 £ P2- rds{PA) c rds{P2) aH,Pi* P4, a \^tpl A 

Assume first that it does. By induction, we know 3P5 £ P4. (^H,Pi,a) < P5 I=tpl A, and by 
transitivity of £, we have P5 £ P2, as required. 

Secondly, assume that the formula does not hold. Therefore, 

VP4 £ P2- rds{Pi) c rds{P2) ^H,Pi* P4, (T^frpLA 

Hence, (H,Pi,a) < P2 \^tpl A. We can prove the obligation by picking P3 = P2. D 

Lemma 13.111 If A is weakening-dosed, {II,P,a) < P' \^tpl A, P' g p" and rds{P') - 
rds{P"), then {H, P, a) < P" ^tpl A 

Proof. As A is weakening-closed, we know: 

H,P*P'\a^TP,A 

If P" is not minimal, then neither was P', which is a contradiction. So P" must also be a 
minimal extension. □ 

Lemma 13.121 (Minimal Permission Extensions Closed). // {H,Pi * P2,cr) < P3 \=tpl A and 
A is weakening- closed, then 3P4 £ P2 and {H,Pi,a) < P4 * P3 I=tpl A. 

Proof. First, we prove a more general result, and apply Lemma 13.111 to get the required 
result. We prove, that: 

If we know that A is weakening-closed, then, if we also have {H, Pi * P2, a) < 
P3 l=ypi A then 3P4 g p^ and P5 c P3 such that rds{P^) = rds{P^) and 

(p-,Pl,a)<P4*P5^TPLA 

We know .ff, Pi * P2 * P3, f I=tpl ^, and by Lemma [3^ we have that there exists Pg such 
that {H,Pi,a) < Pq \^tpl A and Pe £ P2 * P3. Choose P4 and P5 such that P5 = P3 n Pg, and 

P4 = P6-(P3nP6). 

We need to show P4 c P2 and rds{P^) - rds^P^). From our assumptions, we know that 

P4 * (P3 n Pg) - Pq, and thus P^'^ Pq, and Pg £ P2 * Ps- We split into two cases: 

(P4 f. P2): Therefore, there exists (i, f) such that P4[t, /] > P2[i, /]. Therefore, Pe[L,f] > 

P2[6, /], but by assumption, we know Peli, f] < P2['-, /]+P3[t, /]. Consider two sub-cases: 

(P6[i, /] < Pslt, /]): Therefore, as P4 = Pg - (P3 n Pg) we know P4[i, /] = contradicting 

Pd^,f]>P2[i,f]. 

{PsiiJ] < PeiiJ]): Therefore, as P4*(P3nP6) = Pg we know Pi[i, f] + P3[i,f] - PeiiJl 

As P6CP2*P3, we know P4[i,/]+P3[6,/]<P2[6,/]+P3U,/], hence P4[i,/]<P2[i,/], 

contradicting assumption. 
(P4 c P2): We split into two sub-cases: 

{rds{P5) = rds{Ps)): The result follows directly. 

(rds(P5) c rds{P3)): For this case, using the assumption that A is weakening-closed, 
we get -ff, Pi * P2 * P5,(T l=TPL ^1 which is in contradiction with the assumption that 
{H,Pi*P2,a)<P3^rPLA. D 
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Proposition I3.13L All formulas A are weakening-closed. 

Proof. By induction on A. By P £ P' we can assume there exists P" such that P *P" - P'. 
{A=acciE.f,7T)y. 

H,P,a^rpLA 

^ P[mH,a,f]>TT (hydefn) 

^ P'[mH,.J]>^ (as pep') 
^ H,P',a\=TPi^A 

{A = E^E'): 

H,P,a^TPLA 

^ lElH,a = lE'JH,a (hydefn) 
^ H,P',a\^TPLA 

(A = E.f Hs- E'): Follows using a combination of arguments from previous two cases. 
{A = Ai *A2): 

H,P,a^rpLA 

=> 3Pi,P2.Pi*P2^PAH,Pi,a^TPLAiAH,P2,a^rp^A2 

We introduce Pi and P2, and define P3 - P2 * P". By induction, we know 

=> Pi*P2^P/\H,Pi,a ^TPL Ax A H, P3, a ^tpl ^2 

=> Pi*P3^P' AH,Pi,a \^TPL Ai A H, Pi,a ^tpl ^2 

^ H,P',a^TPLA (hydefn) 

{A = Air\A2, A = Aiv A2): Trivially by induction. 

{A = Ai -* ^2): By unfolding the obligation, we can assume 

H,P,a^TPLAi^A2 
PilP' 

rds(P')uVHl\) 
Ml — ri 

{Hi,0,a)<Pi ^tplAi 

and must prove 

Hi,P' *Pi,a^TPLA2 



rds(P)urds(Pi) 

By assumptions, we know Pi l P and Hi = H as P is smaller than P . 

Therefore, using -* assumption, we have 

Hi,P*Pi,a^rpLA2 

By inductive hypothesis, we know 

Hi,P' *Pi,a^TPLA2 

as required. 
(A = Ai ^ A2): By unfolding the obligation, we can assume 

H,P,a\^TPLAi -^ A2 
P2 1 P' 

rds{P')urds{P2) 

H2 = H 

{H2,P',a)<P2^TPLAi 
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and must prove 

H2,P' * P2,cr \^tplM 
By Lemma [2U21 and as Ai is closed under permission extension by inductive hypothesis, 
we have that there exists a Pi such that 

Pi c P" 

{H2,P,a)<Pi*P2\=TPLAi 

As P ^ P', we can show 



rds(P')urds{P2) 

H2 - H 



rds(P)urds(P2) 

^ H2 = H (as pep') 

rds(P)urds(P2*Pi) 

^ H2 = H (as P2 g Pi * P2) 

Therefore by -^ assumption, we have 

H2,P*Pl *P2,(T^tplA2 

As Pi 9 p" ^ by inductive hypothesis we have 

H2,P*P" *P2,(y^TPLA2 

as required. 

{A = 3x.A'): 

H,P,a \^TPL 3a;. A' 

=* at!. H,P,a[x H^ v] \^TPL A' 

^- 3v. H,P',a[x >-^ v] \^TPL A' (by inductive hypothesis) 

^ H,P',a\=TPL3x.A' 

Lemma 13.151 

(1) If{H,P,a) e ExtFrm(^), then: 

(a) ifH' 6 interfere(i?,P), then {H',P,a) e ExtFrm(A). 

(b) ifP'lP and H' e interfere(iJ, P * P') and H,P* P' , a \^tpl A, then 
H',P*P',a^TPLA. 

(2) If(H,P,a) 6 DisExtFrm(yl), then: 

(a) ifH' e interfere(P',P), then {H',P,a) e DisExtFrm(^). 

(b) ifP'lP and H' e interfere(iJ, P * P') anc/ H, P' , a ^tpl A, then 
H\P',a^rPLA. 

Proof. 

(1) (a) This follows directly, since if we have H' e interfere(i?, P), then it follows that 

globalExts(ii^,P,cj) =globalExts(i7',P,a). 
(b) By assumptions, we know that {H,P * P',cr) 6 globalExts(i?, P, o"), and also that 
H' e interfere(ii',P * P'). As globalExts(i?,P,cj) n {{A)) is stable, we know H',P* 
P', a \=TPL A as required. 

(2) (a) This follows directly, since if H' e interfere(i:f, P), then globalDisjExts(ii', P, a) = 

globalDisjExts(P'', P,cr). 
(b) By assumptions, we know that (H,P',a) e globalDisjExts(-ff, P, cr), and also that 
H' e interfere(P',P * P'). As globalDisjExts(P',P,o-) n {{A)) is stable with P, we 
know H',P',a \=tpl A as required. 
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Lemma 13.161 (Preservation of Minimal Extensions) . 

(1) For all {Hi, Pi, a) e ExtFrm(yl), 

VP2 1 A, V^2 '''^''' Hi.{{Hi,Pi,a) < P2 ^TPL A 

=> {H2,Pi,a)<P2^TPLA) 

(2) For all {Hi, Pi, a) e DisExtFrm(A), 

VP2 1 ^1, ^H2 ^'=^' Hi.{{Hi,0, a) < P2 ^TPL A 

^ {H2,0,a)<P2^TPLA) 

(3) If A is self-framing and P2 1 Pi and {Hi, Pi, a) < P2 \^tpl A and H2 = Hi, then 
{H2,Pi,ct)<P2^tplA 

Proof. 

(1) Assume P2 1 Pi, H2 ^'=^' Hi and {Hi,Pi,a) < P2 ^tpl A. By {Hi, Pi, a) e ExtFrm(^) 
we have H2,Pi * P2,(J ^tpl A, and thus we are left to prove: 

VP3 £ P2- rds{Ps) c rds{P2) ^H2,Pi*P3,a ^tpl A 

We assume P3 9 P2) 'r'ds{P3) c rds{P2) and H2,Pi *P3,o- \=tpl A and seek a contradiction. 
By Lemma [3. 15( 1) (b) we can prove Hi, Pi *■ P3,cr \=tpl A, and thus using {Hi, Pi, a) < 
P2 ^TPL A we deduce a contradiction. 

(2) Assume P2 1 Pi, ^^2 ^'^^' i^i and {Hi,0,a) < P2 ^tpl A. By {Hi, Pi, a) e DisExtFrm(A) 
we have H2,P2,cr \=tpl A, and thus we are left to prove: 

VP3 £ P2. rds{P3) c rds{P2) ^ H2,P3,a \frPL A 

We assume P3 ^ P2, rds{P3) c rds{P2) and if2, P3, cr I=tpl ^ and seek a contradiction. By 
Lemma [3TT5j2)(b) we can prove Hi,P3,a \=tpl A, and thus using {Hi,0,a) < P2 \=tpl A 
we deduce a contradiction. 

(3) Since A is self-framing, we know H2,Pi * P2,cr \=tpl A, and thus we are left to prove: 

VP3 ^ P2. rt^s(P3) c rds{P2) ^ H2, Pi*P3,(T \^rPL A 

We assume P3 £ P2, rds(P3) c rds{P2) and H2,Pi *P3, cr \=tpl A and seek a contradiction. 
By self-framing assumption, we know Hi, Pi * P3,o" ^^tpl A, but this contradicts initial 
minimality assumption. 
Lemma 13.191 (Simplified Semantics for Self- Framing Conditionals). 

(1) If Ai and A2 are both self -framing, then: 

(a) H, P, a \=TPL Ai -> A2 if and only if: 

\f{H',P',a)e\oca\Ext5{H,P,a). {H',P',a^TPLAi => H' ,P' ,a ^tpl A2) 

(b) H, P, a \=TPL Ai -^ A2 if and only if: 
\f{H',P',a)€g\ob3\Exts{H,P,a). {H' ,P' ,a ^tpl Ai ^ H' ,P' ,a ^^pl A2) 

(2) If Ai and A2 are both self-framing, then: 

(a) H, P, a \=TPL Ai -^ A2 if and only if: 

V(i/',P',cj)elocalDisjExts(i/,P,a). {H' ,P' ,a ^tpl Ai ^ H' ,P * P' ,a ^tpl A2) 

(b) H, P, a \=TPL Ai -* yl2 if <md only if: 

y {H',P', a) eg\oba\D\siExts{H,P, a). {H' ,P' ,a ^^pl Ai => H' ,P * P' ,a ^^pl A2) 
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Proof. 

(1) (a) We need to show that: 

yPi,Hi.{ {Hi,P*Pi,a) elocalExts(if,P,CT) A (Hi,P,a) < Pi ^tpl^i 

^Hi,P*Pi,a^TPLA2) 



( 

/ yP2,H2.{ {H2,P * P2,c7) e\oca\Exts{H,P,a) A H2,P * P2,(t ^tpl Ai \ 

\ ^H2,P*P2,(T^tplA2) ) 

The right-to-left direction is easy, since the left-hand formula requires that we check 
the implication in strictly fewer states (only those which are obtained via minimal 
extensions). For the left-to-right direction, assume that for some arbitrary P2,H2 

rds(P)urds(P2) 

we have P2 1 P and H2 = H and H2,P * P2,^ ^tpl Ai. Then we need 

to show that: H2,P * P2,o' \^tpl A2. By Lemma 13.91 there exists P3 £ P2 such that 
{H2,P,cr) < P3 \=T.pL Ai. Define H3 ^ (P * P3 7 H2 ■■ H). Then, by construction, 

^. P*P3 „ , „ rds(P)urds(P3) 

H3 = H2 and fi3 = H. 

By Lemma [3.16l (3). since Ai is self-framing, we have (H3,P,a) < P3 \^tpl Ai. Now, 
using the assumption from the left-hand-side of our overall goal, choose Pi = P3 and 
H\ - H3, and we obtain H^^P * P3,(t \^tpl A2. Since A2 is self- framing, we have 
7^2, P * P3, (T l=TPL A2. Then, by Proposition 13. 13^ we obtain H2,P * P2,(J ^tpl A2 
as required, 
(b) By the previous part, it suffices to show that : 

^{H',P\a)i\oca\EyXs{H,P,a). {H',P',a^TPLAi => H' ,P',a ^tpl A2) 

\f{H',P',a)eg\ob3\Exts{H,P,a). {H' ,P' ,a ^tpl Ai ^ H' ,P' ,a ^^pl A2) 

The (<=) direction is immediate, since localExts(i?, P, cr) £ globalExts(i7, P, cj). To 
show the (=>) direction, we assume the former formula, and suppose that we have 
some {H',P',a) e globalExts(if, P,cr) such that H',P',a \=tpl Ai holds. Define 

H" = (P' ? H' : H). By construction, {H",P',a) e localExts(if,P,(T) and H" = H'. 
Since Ai is self-framing, we conclude that H',P',a \=tpl Ai holds. Therefore, by 
the assumed formula, we can conclude that H",P',a \^tpl A2 is true. Since A2 is 
self- framing, we conclude H',P',cr \=tpl A2 as required, 
(a) We need to show that: 



rds(P)urds(Pi) 

VPi,P'i.(Pi±P A Hi ' '= ' ' H A (Hi,0,a)<Pi\=TPLAi 

^Hi,P*Pi,a^T,pLA2) 



(rds{P)urds(P2) . \ 

yP2,H2.{P2lP AH2 = ' H A H2,P2,(T^rPLAi 

^H2,P*P2,(7\=tplA2) I 

The right-to-left direction is easy, since the left-hand formula requires that we check 
the implication in strictly fewer states (only those which are obtained via minimal 
extensions). For the left-to-right direction, assume that for some arbitrary P2,H2 

rds(P)urds(P2) 

we have P2 1 P and H2 ^ H and H2,P2,cr \=tpl Ai. Then we need to 

show that: H2,P * P2,cr \=tpl A2. By Lemma [3^ there exists P3 £ Pg such that 
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(i72,0,cr) < P3 ^TPL Ai. Define H3 ^ (P * P3 ? H2 ■ H). Then, by construction, 

^^ P*Pi ^^ , ^-. rds{P)urds{P:i) 

H3 = H2 and H3 = H. 

By Lemma [3.16l (3). since Ai is self-framing, we have {H3, 0, a) < P3 I=tpl Ai. Now, 
using the assumption from the left-hand-side of our overall goal, choose Pi - P3 
and Hi - H^, and we obtain H-^,P*P3,a \^tpl ^2- Since A2 is self- framing, we have 
H2,P * P3,a \=TPL ^2- Then, by Proposition \'6.1'6\ we obtain H2, P * P2,cr \=tpl A2 
as required, 
(b) By similar argument to part (l)(b). 
Theorem 13.201 (Correctness of Total Heap Semantics). For all SL-assertions a, environ- 
ments a, total heaps H , and permission masks P: 

H,P,a^TPLa <^^ {H\P),a\^sLa 

Proof. By induction on a. First note, if the property holds of an S'Z-assertion, then the 
assertion is self-framing. Thus, inductively we can assume all sub-assertions are self-framing. 

{a = e.f ^ e'): 

H,P,a \^tplCl 

<^ P[leh,Hj] > TT A HM^^hJ] = Ic'Uh (by defn.) 

^ ileUHj) e dom{H\P) A ii{{H\P)[le},,H,f]) = [el,,^ a 

U{H\P)[le\,,Hj]) > vr (by defn. of (H\P)) 

<^ ilej„,f)edom{H\P) a k((i^rP)[H-,/]) = M, a 

i2{{H\P)[le}^,f])>TT (hyLemma\m 

<^ {H\P),a\^sLa (by defn.) 



(a = e-e'): 



H,P,a\= ypi a 

^ Mr^^H = le'ia,H (by defn.) 

'^ h^a^le'ja (by LemmalEM) 

<=> {H \P),a ^sL a (by defn.) 



(a = 01*02) 



H,P,a ^tplCl 

^ 3Pi,P2.iP^Pl*P2 A 

H,Pi,a\=TPLai A H,P2,a\= tpl 02 ) (by defn.) 

^ 3Pi,P2.{P^Pl*P2 A 

{H \ Pi) , a \= SL 0-1 A (H \ P2) , a \= 31^ 02) (by induction, twice) 
^ {H \P),a ^SL a (by defn.) 

(a = oiA02),(a = 01V02): Straightforwardly, by induction. 
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(a = ai->a2): 

H,P,a ^TPLd 



rds(P)urds(Pi) 
^ VPi,i7i.(Pi±P A Hi = H A 

Hi,P * Pi,a\=TPLai => Hi,P * Pi,a\=TPLa2) 

(by LemmalME (V) 

rds(P)urds(Pi) 
^ VPi,ifi.(PilP A Hi = H A 

{Hi\{P*Pi)),a^sLai ^ {Hi\{P*Pi)),a^sLa2) 

(by induction, twice) 

rdsiP)urds(Pi) 

^ VPi,i7i.(PilP A Hi = H A 

iiHi\P)*{Hi\Pi)),a^sLai ^ ((ifi ^P) * (i^i r^i)),a ^sl as) 

(by defn.) 

rds(P)urds(Pi) 
^ VPi,ifi.(PilP A Hi = H A 

aHlP)*iHi\Pi)),a^sLai => {(HIP) * {HilPi)),a ^sl a2) 

p 
(since Hi = H) 

^ yPi,hi.(Pildom{H\P) A dom(hi) ^ rds(Pi) A 

(V(6,/) e {dom{hi)ndomiHtP)).hi[i, f] = iHtP)[L,f]) a 

{{HlP)*hi),a^sLai ^ {{H\P)*hi),a^sLa2)) 

(by defn. of {Hit Pi)) 

^ yhi.{hil{H\P) A 

{{H\P)*hi),a^sLai ^ {{H\P)*hi),a^sLa2) 

(by defn. ofhil{H\P)) 

<=> {HlP),a\=sLai^a2 

(a = 01^02): Analogous to previous case, using Lemma r3.19l (2) instead of Lemma fS. 191 (1). 
(a = 3x. a'): We have: 

H,P,a \=TPL 3x. a' 

<^ 3v. f/^, P, cr[x 1-^ i;] l=rpi, a' 

<=> 3u. H\P,aYx i-> v^ l=si a' by inductive hypothesis 

<=> H\P,a i=si 3x. a' 

Lemma 13.231 (Decomposing Minimal Permission Extensions over Conjunctions). 

(1) If{H,0,a) <P' \^t.plAi*A2 then3Pi,P2 such that P' = Pi*P2 and{H,0,a) < Pi \^tpl 
Ai and {H,0,a) < P2\=tplA2. 

(2) // {H, P, a) < P' ^TPL A1AA2 then 3Pi , P2 such that P' = Pi *P2 and (H, P, a) < Pi ^tpl 
Ai and {H,P * Pi,a) < P2^TPL A2. 

Proof. 

(1) We prove an equivalent statement: 

{H,0,a) <P^tplAi* A2 A P3*P4 = P A H^P^^.G^tplAi a iJ,P4,cr ^tpl ^2 

^3Pi,P2. Pi *P2 = P A {H,0,a)<Pi^TPLAi A lH,0,a) <P2\=tplA2 

by complete (strong) induction on |rds(P3)nrds(P4)|. In the proof, we use the shorthand 
-f [('-)/) '^ ^] to denote the permission mask that returns vr for (/-,/) and behaves like 
P for all other entries, and also the shorthand P \ {t, f) for P[{t,, f) >-^ 0]]. 
We now consider two cases: 
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(3(/,, /) € rds{P3). H, (P3 ^ ih /)), CT ^TPL Ai) 

By Proposition l3.13l we know H. (PA[(i. f) >^ P[l, f]]),a \^tpl A2. We know P4[i,/] > 
0, otherwise P3 * P4 was not minimal to start with. Therefore \rds(Ps \ {i,f)) n 
rds{P4[{L, f) i-^ -P['', /]])! < \rds{P3) n rds{P4,)\. By construction, we know (P3 \ 
(i,/)) * (Piiii,/) '^ -PL'')/]]) - P3 * Pa-, so this case holds by induction choosing 
(P3 \ {t,f)) for P3 and P4[{i, f) ^ P[i-,f]] for P4 in inductive hypothesis. 
(V(t,/) e rdsiPs). H,iP3 v {ij)),a ^^p, A^) 

Therefore, {H,0,a) < P3 \^tpl Ai. Consider two sub-cases: 
(3(., /) 6 rdsiPi). H, (P4 ^ (^, /)), a ^TPL ^2) 

By Proposition 13.131 we know iJ, (P3[(t, /) i-^- -P[i,/]]),o' ^tpl Ai. By construc- 
tion, we know P^Il,/] > 0, otherwise P3 * P4 was not minimal to start with. 
Therefore \rds{Pi \ (lJ)) n rds{P3[{i,f) ^ P[t, f]])\ < \rds{P3) n rds{P4)\. We 
know (P4 \ (t, /)) * (P3[(t, /) 1-^ P[l, /]]) = P3 * P4, so this case holds by induction 
choosing (P4 \ (i, /)) for P4 and PsKi, /) 1-^ ^[i, /]] for P3 in inductive hypothesis. 

(V(i,/) 6 rds(P4). ^,(^4 ^ iij)),(7 ^TPL A2) 

Then, (H,0,a) < P4 I=tpl ^2- Hence, we have solution choosing P3 - Pi and 
P4 = P2. 
(2) We can assume {H,P,a) < P' \^tpl A1AA2 and hence H,P*P',a 1= Ai and H,P*P',a 1= 
j42. By Lemma l3.9( we know there exists P/ such that P{ £ P' and (-ff, P, o") < P( I^tpl 
j4i. Define 

Pi = A(i,/). if Pi[^/] = then else P'[/,,/]. 
Note that Pi c p'. By LemmaETJH we know {H,P,a) Pi l^yp^ Ai. 

We know H,{P * Pi) * (P' - Pi), cr t=TPL ^2, and by Lemma [3^91 we know there exists 
P2' c (P' - Pi) such that {H, P * Pi,a) < P^ ^tpl ^2- Define 

P2 = A(i,/). if P2'[^/] = then else P'[iJ]. 

Note that P2 c P' - Pi, and thus Pi * P2 c p'. By Lemma [3TTT| we deduce that 
{H,P,a)<P2^TPLA2. 

By construction of Pi and P2, either Pi * P2 - P' or rds{Pi * P2) c rds{P'). In 
the first case we are done. In the second case, we seek a contradiction. We know 
H,P * Pi * P2,cr \=TPL A2, and by Prop 13.131 we know H,P * Pi * P2, (t \=tpl Ai, hence 
H,P * Pi * P2, <T l=rpL ^1 A ^2- As we know Pi * P2 £ P', but that contradicts the initial 
assumption of P' being minimal. 
Lemma 13.251 (Composing Minimal Permission Extensions over Supported Conjunctions). 

(1) If {H, 0, o") <i Pi \^TPL Ai and {H, 0, a) < P2 \=tpl A2 and Ai and A2 are supported, then 
{H,0,a) <Pi*P2 ^tplAi * A2. 

(2) // [H, P, o") < Pi l=rpL Ai and (H, P * Pi,a) < P2 ^tpl A2 and Ai and A2 are supported, 
then {H, P, a) < Pi * P2 ^tpl Ai a A2. 

Proof. 

(1) Proof by contradiction. We know H,Pi * P2, o" I^tpl Ai * A2 holds, therefore we assume 
that there exists P' £ Pi * P2 such that rds{P') c rds{Pi * P2) and H,P',a \=tpl Ai * 
A2. Therefore, there exist P3 and P4 such that P3 * P4 = P' and H,P3,a i^TPi Ai 
and H,Pji,a \^tpl A2. From rds(P') c rds(Pi*P2), we know (c, f) e rds(Pi * P2) 
and (i, f) i rds{P'). W.l.o.g assume {i, f) e rds{Pi). As Ai is supported, we know 
H, Pi n P3, a ^TPL Ai. Since (Pi n P3) c p^ c p' we have (l, f) i rds(Pi n P3). But this 
contradicts {H,P,a) < Pi \^tpl Ai, since (i, /) e rds{Pi). 
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(2) By assumptions and Prop 13.131 we have H,P * Pi * P2,a I^tpl ^i a yl2. We show 
(H,P,a) < Pi * P2 \^TPL ^1 ^ A2 by contradiction. Assume there exists P3 9 (p^ * Pg) 
such that rds^P^) c rds{Pi * P2) and H,P * P3,ct \=tpl ^1 a ^2- Then there exists 
(i, /) e rds{Pi * P2) such that (i,/) ^ rds{P3). Case spht: 
((t, /) € rds(Pi)) Note that (P * P3) n (P * Pi) = P * (Pi n P3), thus as Ai is supported 

we have H,P * (Pi n P3),a \=tpl ^i- but this contradicts {H,P,a) < Pi \=tpl Ai 
{{l, f) e rds{P2)) Note that (P * P3) n (P * Pi * P2) = P * (P3 n (Pi * P2)). As A2 is 

supported, we know H,P * (P3 n (Pi * P2)),a \=tpl A2, but this contradicts {H,P * 

Pi, a) <P2\= tplA2. 

Proposition [3T261 For all TPL assertions Ai, A2, A3: 

(1) Ai*{Ai^A2)\^tplA2 

(2) AiA{Ai^A2)^tplA2 

(3) (a) DisExtFrm(Ai) n {{Ai ^ (^2 -^ A3))) c (((^1 >. A2) -^ A3)) 

(b) if Ai and A2 are supported, then: 

DisExtFrm(Ai) n (((^1 * A2) -^ A3)) c (((^1 ^ {A2 -^ A3))) 

(c) if both Ai * A2 and A3 are self-framing, then: 
DisExtFrm(Ai) n (((^1 * A2) -^ A3)) c (((^1 ^ {A2 -^ A3))) 

(4) (a) ExtFrm(Ai) n ((^1 -. (^2 - ^3))) ^ (((^1 a A2) - ^3)) 

(b) if Ai and A2 are supported, then: 

ExtFrm(Ai) n (((^1 a A2) - A3)) c {{Ai ^ (^2 - ^3))) 

(c) if both Ai A A2 and A3 are self-framing, then: 
ExtFrm(Ai) n (((^1 a A2) - A3)) c {{Ai ^ (^2 - ^3))) 

(5) IfAi ^TPL {A2 ^ A3) then {Ai * A2) ^tpl A3 

(6) If Ai is self-framing and {Ai * A2) ^tpl A3 then Ai \^tpl {A2 -* A3) 

Proof. 

(1) Assume H,P,a \^tpl Ai * {Ai -* A2). We seek to prove that H,P,a \^tpl ^2- Prom 

our assumption, there exist Pi,P2 such that Pi * P2 = P and H,Pi,a \=tpl Ai and 

H,P2,a l=rpL Ai^ A2- Prom the latter, we have that 



rds(P2)urds(P3) 

VP3lP2,VF3 E ' "H.{H3,0,a)<P3^^p,Ai 

^H3,P2*P3,a\=TPLA2. 

From H,Pi,a 1= tpl Ai , by Lemma 13.91 we know that there exists P3 £ Pi such that 
{H,0,a) < P3 \=TPL Ai. Combining these facts, we obtain that H,P2 * -P3,cr I=tpl A2 
holds. By Proposition 13.131 we obtain H,P2 * Pi,a \=tpl A2 as required. 
(2) Assume H, P, a \=tpl Ai a {Ai -^ A2). We seek to prove that if, P, a \=tpl A2. Prom our 
assumption, we obtain both H, P, a \=tpl Ai and H, P, a \^tpl ^1 -^ ^2- Prom the latter, 
we have 



rds(P)urds(Pi) 

VPilP,Vifi E ' H.{Hi,P,a)<Pi^rPLAi^Hi,P*Pi,a^TPLA2 

Taking Hi - H and Pi = in the above (and noting that from H,P,a \^tpl Ai we can 
easily obtain {H,P,a) < \=tpl Ai), we can obtain H,P,a \=tpl A2 as required. 
(3) In the following, we assume (as in the statement of the Lemma) that {H,P,a) e 
DisExtFrm(Ai) 
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(a) We assume H,P,a \^tpl ^i-*(^2-*^3) and seek to prove H,P,a \=tpl (^i*^2)-*^3- 
Thus, we can assume 

(^3,^3,0-) e localDisjExts(if,P,cj) 

and must prove 

H:i,P*P^,a^TPLM 
By Lemma [3.231 ((TJ, there exist Pi ± P2 such that P3 = Pi * P2 and both 

{H^,0,a)<Pi^TPLAi 

{H3,0,a) <P2^tplA2 

By the definition of localDisjExts(//, P, o"), we can show 

{H',Pi,a) 6 localDisjExts(i?,P,a) 
(iJ3,P2,cr) 6localDisjExts(i?',P*Pi,a) 

p p 

where H' - {Pi^H^^ : H). By assumptions, we know H^ = H, thus H' = H^. By 

construction, H' = H-^, and thus H' = H3. 

By DisExtFrm(i?, P, cr) assumption, and Lemma 13.161 (2). we get 

{H',0,a)<Pi^TPLAi 

Now using H, P, a \^tpl ^1 ^ (^2 ^ ^3)1 we get 

i/',P*Pl,CJ^TPL^2-^^3 

and thus 

Hs,P*Pi *P2,a^TPLA3 

as required. 

(b) and (c) We prove these two cases together, since they are almost identical. In 
the proof, we case split on which extra assumption to use: either Ai and A2 are 
supported (for part (b)) or both Ai * A2 and A3 are self- framing (for part (c)). 
We assume H,P,a \^tpl (^1*^2)-* ^3 and seek to prove H,P,a \=tpl ^i-*(^2^^3)- 
Thus, we can assume 

{Hi, Pi, a) e localDisjExts(P',P,a) 

lHi,0,a)<Pi^TPLAi 

{H2,P2,cr) e\oca\D\siExts{Hi,P * Pi,a) 

{H2,0,a) <P2^tplA2 

and must prove 

H2,P*Pi *P2,a^TPLA3 
By definition of localDisjExts(i7, P, cr) we can show 

{H2,Pi *P2,(t) e localDisjExts(i?,P,a) 
By Lemma 13.151 we know 

{Hi,P,a) e DisExtFrm(Ai) 
and thus, by Lemma 13.161 (2) we know 

{H2,0,a) <Pi ^tplAi 
Now, we case-split on whether we are proving part (b) or (c): 
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part (b) Then we can assume that Ai and A2 are supported. By Lemma [3. 251 (fTI). we can 

obtain {H2,0, a) < Pi* P2 \=tpl Ai* A2. Thus, usmg H, P, a \^tpl (^1 * ^2) -* ^3 

we get 

H2,P*Pi *P2,a\^TPLA3 

as required, 
part (c) Then, we can assume that both Ai * A2 and ^43 are self-framing. By Lemma 

[3^ there exists P3 g (p^ * P2) such that {H2,0,cr) < P3 ^tpl Ai * A2. Define 



H3 - (-P3 ? H2 '■ H). Then we have H3 = H2. Since Ai * A2 is self-framing, by 
Lemma 13.161 (3), we have (H3,0, a) < P3 \^tpl ^1 * ^2- We need to show that 

{H3,P3,cr) e localDisjExts(i7,P,cr) 

P p p p 

which follows as H3 = H (since H = Hi = H2 = -^3). Thus, by assumption, we get 

P*Pa 
H3,P * P3,a \=TPL A3. Since A3 is self- framing, and since H2 = -^3, we obtain 

H2,P * P3,a \^TPL ^3- By Proposition 13.131 we have H2,P * Pi* P2,cr \^tpl ^3 as 

required. 

(4) In the following, we assume (as in the statement of the Lemma) that {H,P,a) e 

ExtFrm(^i) 

(a) We assume H,P,a \=tpl ^1 ^ (^2 -^ ^3) and seek to prove that H,P,a \^tpl 

{Ai A A2) ->• ^3. Thus, we can assume 

{H3,P * Pa, 0-) e localExts(i7, P, a) 

{H3,P,a) < P3^TPL M ^ A2 

and must prove 

H3,P*P3,a^TPLA3 

By Lemma 13.231 ([2]), there exist Pi ± P2 such that P3 = Pi * P2 and both 

{H3,P,a)<Pi^^P,Ai 
{H3,P*Pi,a)<P2^TPLA2 

By the definition of localExts(i?, P, a), we can show 

(//', P * Pi, a) e localExts(i7, P, (j) 
{H3,P*Pi *P2,a) €\oca\Exts{H',P*Pi,a) 

p p 

where H' - {P1IH3 ■ H). By assumptions, we know H3 = H, thus H' = H3. By 

Pi p*Pi 

construction, H' = if 3, and thus H3 = H' . 

By ExtFrm(if, P, cr) assumption, and Lemma 13.161 (1). we get 

{H\P,a)<Pi^^P,Ai 
Now using if, P, a \^tpl Ai ^ {A2 ^ A3) ., we get 

ii',P*Pi,a^rFL^2-*^3 

and thus 

H3,P*Pi *P2,a^TPLA3 

as required. 
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(b) and (c) We prove these two cases together, since they are almost identical. In 
the proof, we case split on which extra assumption to use: either Ai and A2 are 
supported (for part (b)) or both Ai a A2 and ^3 are self- framing (for part (c)). 
We assume H, P, a \=tpl (^1 ^ ^2) -*• ^3 and seek to prove H^ P, a \^tpl ^1 ^ (^2 ^ 
^3). Thus, we can assume 

{Hi, Pi *P,a)e \oca\Ext5{H,P,a) 

{Hi,P,a)<Pi^rPLAi 

{H2,P*Pi *P2,cr) €\oca\Exts{Hi,P*Pi *P2,a) 

lH2,P*Pi,a)<P2^TPLA2 

and must prove 

H2,P*Pi *P2,a^TPLA3 
By definition of localExts(-ff, P, cr) we can show 

{H2,P*Pi*P2,(t) elocalExts(iJ,P,cr) 

By Lemma 13.151 we know 

{Hi,P*Pi,a) 6ExtFrm(yli) 

and thus, by Lemma 13.161 (2) we know 

{H2,P,a)<Pi^TPLAi 

Now, we case-split on whether we are proving part (b) or (c): 
part (b) Then we can assume that Ai and A2 are supported. By Lemma [3.251 (pj). we can 
obtain {H2,P,a) < Pi *P2 ^tpl Ai/\A2. Thus, using H,P,a \=tpl (^1 ^^2) -> A3 
we get 

H2,P*Pi *P2,a^TPLA3 

as required, 
part (c) Then, we can assume that both Ai a A2 and A^ are self-framing. By Lemma 
[3^ there exists P3 c (Pi * P2) such that {H2,P,a) < P3 \=tpl Ai a A2. Define 

H3 - {P3 ? H2 '■ H). Then we have -^3 e H2. Since Ai a A2 is self-framing, by 
Lemma [3. 161 (3), we have {H3,P, a) < P3 \=tpl Ai * A2. We need to show that 

{H3,P*P3,a) e\oca\Exts{H,P,a) 

p 
which follows as -^3 e H. By assumption, we get H3,P * P3,a \=tpl A3. Since 

p*Pi 
A3 is self- framing, and since H2 e H3, we obtain H2,P * P3,a \^tpl A3. By 

Proposition 13.131 we have H2, P * Pi * i-2, cr ^tpl A3 as required. 

(5) We can assume that: 

Vg,P,(j.(iJ',P,a^rp^ Ai^ 

rds(P)urds{Pi) 

VPi lP,yHi = H. 

((Hi,0,a) <Pi ^tplA2 ^Hi,P*Pi,a^TPLA3)) 

We need to know that, assuming that (for some H2, P2) H2, P2, o" ^tpl Ai *A2 holds, we 
can deduce that H2,P2,cr \=tpl A3 also holds. The former means that there exist P3 and 
P4 such that P2 = P3 * P4 and both H2,P3,ct \=tpl Ai and H2,P4,,ct \=tpl A2 hold. By 
Lemma [3^91 there exists P5 £ P4 such that (if2, 0, cr) <\ P5 \^tpl A2 holds. Now we apply 
our original assumption, defining H - H2 and Hi - H2 and P - (P3 * (P4 - P5)) and 
Pi - P5 (note that, by Proposition 13 . 1 3] we have H, P, a \=tpl Ai). From the assumption. 
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we obtain H,P * Pi, a \^tpl ^3, i-e., H2,P2, * P4,cr ^tpl ^3, i-e., H2,P2,o- \=tpl ^3 as 
required. 
(6) We can assume that 

yH,P,a.iH,P,a^rp,Ai*A2^H,P,a^TP,A3) 

i.e., we (equivalently) assume that: 

\fH,PuP2,a.iPilP2AH,Pi,a^rPLAiAH,P2,a^TP,A2^ 

H,Pi*P2,a^TPLAs) 

We need to show that, if we assume (for some Hi and Pi) that Hi, Pi, a \^tpl Ai, then 
we can deduce that Hi, Pi, a \=tpl ^2 -* A^ holds, i.e., that: 



rds(Pi)urds(P2) 
yP2lPl,yH2 E 'Hi. 

{{H2,0,(J) <P2^tplA2^H2,Pi *P2,Cr^TPLA^) 



rds(Pi)urds(P2) 

To show this, we assume P2 1 Pi and H2 = Hi and [H2,0,cr) < P2 \^tpl A2 

and need to prove H2,Pi * P2,cr \=tpl A^. Since Ai is self- framing, and since H2 = Hi, 
we know that H2,Pi,(J ^tpl Ai. Then, letting H - H2, we can apply our original 
assumption to obtain H2,Pi * P2,o' \=tpl A3 as required. 
Lemma 14. 5L 

(1) IfH,P,a^TPLsfr3med{E), and H' = H then lEJH,a ^ lEJH',a- 

(2) sframed(£') is self-framing 

P 

(3) // H, P, a \^TPL sframed(i?), and H' = H then H, P, a \^tpl B if and only if H' , P, a \^tpl 

B. 

(4) sframed(i?) is self -framing. 

Proof. 

(1) Follows by straightforward induction on E. 

(2) Follows by induction on E, and using previous property. The base cases hold trivially. 
For the inductive case (E.f), we assume 

H,P,a^rPLsframed{E) P[lEJH,a, f]> tt H^H' 

and need to show that 

H', P, a ^^p, sframed(£;) P[lSk',a, /] > vr 

The first part follows from the inductive hypothesis. The second part follows as we 
know [[-EJh.o- = [[-E]l_f/',o- by the previous part of the lemma. 

(3) By induction on B. The base cases hold trivially. For the inductive case, assume 

H,P,a \= TPL sfra med ( Pi ) 
H,P,a \=TPL Pi -^ sframed(P2) 
H = H' 
By inductive hypothesis, we know 

H, P, a ^TPL Pi ^> H', P, a ^tpl Pi 
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We case split on whether or not Bi holds. For the first case, assume H,P,a \=tpl B\. 
Therefore, by Lemma 13.181 we know 

H,P,a l=rpL sframed(S2) 

and thus, by inductive hypothesis 

H,P,a^rPLB2 ^^ H',P,a^„LB2 

Hence, we know 

H, P, a ^TPL Bi*B2 ^^ H', P, a ^tpl Bi * B2 

as required. 

For the second case, assume H,P,a I^tpl Bi. Therefore 

H',P,a\fTP,Bi 

and thus we know 

H, P, a ^TPL Bi*B2 <=> H\ P, a ^„, Bi * B2 

as required. 
(4) By induction on B. The base cases follow directly from previous parts of this lemma. 
For the inductive case, we assume 

H,P,a\^ ypi sfra med ( i?i ) 
H, P, a \^TPL Bi -^ sframed(i?2) 
H = H' 
and we seek to prove 

H', P, a \^TPL sframed(i3i) 
H',P,a ^TPL Bi ^ sframed(B2) 

The first obligation follows by inductive hypothesis. Using Lemma [3. 181 we can assume 
H',P,a \=TPL Bi, and must prove H',P,a \=tpl sframed(i?2)- Thus, by previous part, 
we know H,P,a 1= tpl Bi , and by Lemma 13.181 we know 

H,P,a t^TPL sframed(i?2) 

By inductive hypothesis, we obtain 

H',P,a \^TPL sframed(-B2) 

as required. 
Lemma 14.61 

(1) sframed(pi) a((pi *p2)^p) ^tplPi^ (P2^p) 

(2) sframed(pi) a (pi ^ {p2^p)) ^tpl (pi * P2) -^ P 

Proof. We break this proof into two steps. First we prove that the sframed(pi) condition 
has a semantic meaning in terms of DisExtFrm(pi), and then show this semantic meaning 
allows the restructuring of the assertion. That is, we show that 

Vp. ((sframed(p))) g DisExtFrm(p) (A.l) 

and then show 

DisExtFrm(pi) n (((pi * P2) -^ p)) £ ((pi -* (P2 -*p))) (A.2) 

and 

DisExtFrm(pi) n {pi ^ (p2 ^p))) ^ (((pi *P2) ^p)) (A.3) 
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To prove (IA.2P we use Proposition I3.26ll3l) (b) and Lemma 14.3^ and (|A.3|) is just a 
restatement of Proposition [3r26l[ 3|) (a). 
To prove (|A.ip we use induction on p. 

[p = acc{E, f, vr)) This requires that we prove 

((sframed(£'))) c DisExtFrm(acc(£^./,7r)) 

By expanding the definition of DisExtFrm (acc(i?. /,7r)) and the semantics of acc(£'. /,7r) 
we can assume 

^, P, (J ^TPL sframed(^) H = H' P i P' 

P'[lEJH',.,f]>7r H'"'*!' H" 

p 
and are required to prove P'[[[£']j;/"^o->/] ^ tt. By definition of =, we can get H' = H" , 

and thus use Lemma W^ to give |E']/f/^o- = [[-E]]_h'",(t as required. 

{p = B) This case requires that we prove 

((sframed(P))) g DisExtFrm(P) 

By expanding the definition of DisExtFrm(i?) we can assume 

H, P, a ^TPL sframed{B) H = H' P l P' 



H',P',a^TP,B H'%^' H" 



p 



and are required to prove H",P',a \^tpl B. By definition of s, we know H' = H", and 
thus use Lemma H3] to give H',P',a \^tpl B <=^> H",P',a \=tpl B as required. 
{p = Pi * P2) We assume 

((sframed(pi))) c DisExtFrm(pi) 

((sframed(p2))) '= DisExtFrm(p2) 
and, expanding the definition of sframed(pi *P2), we must show 

((sframed(pi) a (pi -* sframed(p2)))) £ DisExtFrm(pi *P2) 

We can assume, by expanding the definition of DisExtFrm(|)i *P2), and the definition of 

the semantics of *: 

H,P,a l=rp^ sframed(pi) 

H,P,a ^tplPi ^sframed(p2) 
H = H' 

Pi ± P A P2 1 P A Pi 1 P2 

H',Pi,a \=tplPi 

H',P2,a \=tplP2 

and we are left with proving: 

H", Pi * P2, cr \=TPL Pi * P2 



Let Hi - (rds(P) u rds(Pi) ? H ■ H'). By inductive hypothesis, we know (H,P,a) e 
DisExtFrm(pi), and thus we know Hi, Pi, a \=tplPi- 

By Lemma 13.91 we can prove that there exist Pi, Pi such that P( * P" - Pi and 

{Hi,0,a) < Pi \=TPL Pi- Therefore, we know Hi, Pi * P,a \=tpl sframed(p2)5 and thus 

P P 

{Hi,Pl*P,a) e DisExtFrm(p2)- A.s H = H', we know Hi = H' by construction. Moreover, 
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rds(Pi)\rds(P) Pi 

by construction we know Hi = H , which with the previous gives Hi = H . 

Pi*p P[*P 

Thus, we know Hi = H , which we can weaken to Hi = H . Thus, we know 

{H',P{ *P,a)e DisExtFrm(p2) 

As all assertions are weakening-closed (cf. Proposition [3]T3]), we have H' , Pl'*P2,a \=tpl 

P2- We know P^ *P2 1 P[*P, thus using DisExtFrm(p2)i we know H",Pl' *P2,a \=tplP2- 

p 



By {H,P,a) e DisExtFrm(pi) and H = H', we know {H',P,a) e DisExtFrm(pi). By 

p*p{ 
weakening assumption we know H' = H". As P^ ± P, we know H" ,P[,a \^tplPi and 

thus 

H", Pi* P2,a ^TPL Pi * P2 
as required. 
{p = B -^ p') This case requires 

((sframed(S) a {B -^ sframed(p')))) c DisExtFrm(5 ^ p') 

By expanding the definition of DisExtFrm(i? -^ p') and using Lemma[3TT8l we can assume 

H,P,a \= j,p^ sframed{B) 

H, P,a \^TPL B ^ H, P, a \^tpl sframed(p') 

H = H' 

P LP' 

H',P',a-^rPLB^H',P',a^^P,p' 

H" ^*/' H' 
H",P\a^rPLB 

and must prove 

H ,P ,a\^TPLP 
By the sframed(i?) assumption and by Lemma 14.51 and since B is pure, we can obtain 
that H' , P', a \^tpl B and H, P, a \^tpl B. Therefore, we know 

H, P, a \^TPL sframed(p') 

H',P',a^T,,p' 
and must show 

H",P',a^rPLp' 
which foUows directly by definition of sframed(p') and the inductive hypothesis. 
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